[20877] in bugtraq
Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
daemon@ATHENA.MIT.EDU (Renaud Deraison)
Tue Jun 5 21:14:14 2001
Date: Tue, 5 Jun 2001 22:21:47 +0200
From: Renaud Deraison <deraison@cvs.nessus.org>
To: Roman Drahtmueller <draht@suse.de>
Cc: bugtraq@securityfocus.com, qpopper@qualcomm.com, security@suse.de
Message-ID: <20010605222147.A1754@cvs.nessus.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.LNX.4.33.0106051840040.1114-100000@dent.suse.de>; from draht@suse.de on Tue, Jun 05, 2001 at 06:52:23PM +0200
On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote:
> > **** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 --
> > PLEASE UPGRADE IMMEDIATELY ***
>
> We hope that this information is accurate. Version 4.0.2 is not on the ftp
> server any more, and there is no patch from 4.0.2 to 4.0.3.
> We currently feel handicapped in our efforts to check the code for the
> changes wrt the buffer overflow.
The buffer overflow took place when a too long argument was supplied
to the USER command (and apparently to some other commands too).
Here's the gdb backtrace I did save when I investigated this issue
thanks to Gustavo Viscaino (see
http://www.nessus.com/bugs/nessus/fixed?id=385 if you are curious
about why I'm involved in this)
(note that the command was USER XXXXX[....]XXXXX\r\n)
Program received signal SIGSEGV, Segmentation fault.
strcpy (dest=0xbfffca95 'X' <repeats 200 times>...,
src=0xbfffca54 'X' <repeats 200 times>...)
at ../sysdeps/generic/strcpy.c:38
38 ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb) bt
#0 strcpy (dest=0xbfffca95 'X' <repeats 200 times>...,
src=0xbfffca54 'X' <repeats 200 times>...)
at ../sysdeps/generic/strcpy.c:38
#1 0x805078c in pop_user (p=0xbfffca2c) at pop_user.c:198
#2 0x8050e58 in qpopper (argc=1482184792, argv=0x58585858) at
popper.c:321
#3 0x58585858 in ?? ()
Cannot access memory at address 0x58585858
Unfortunately, I did not get a copy of qpopper 4.0.2, so I can't really
show where the exact bug was.
> If the above statement is right, then SuSE distributions are not
> vulnerable. However, we wish to double-check such a claim. All kinds of
I really think it's not vulnerable. Qpopper 3.0.x is immune to this bug too.
-- Renaud
