[25292] in bugtraq
QPopper 4.0.4 buffer overflow
daemon@ATHENA.MIT.EDU (Marcell Fodor)
Mon Apr 29 11:35:49 2002
Date: 28 Apr 2002 19:21:14 -0000
Message-ID: <20020428192114.328.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Marcell Fodor <m.fodor@mail.datanet.hu>
To: bugtraq@securityfocus.com
Affected versions 4.0.3 and 4.0.4. default install.
Servers, not processing user`s configuration file
(~/.qpopper-options) are insensible to this bug.
pop_bull.c
-----------
int
CopyOneBull ( POP *p, long bnum, char *name )
{
FILE *bull;
char buffer [ MAXMSGLINELEN ];
BOOL in_header = TRUE;
BOOL first_line = TRUE;
int nchar;
int msg_num;
int msg_vis_num = 0;
int msg_ends_in_nl = 0;
char bullName [ 256 ];
MsgInfoList *mp;
.
.
.
sprintf ( bullName, "%s/%s", p->bulldir, name );
------------
The bullNmae buffer is 256 bytes long, but in the user`s
config file
you can define it up to MAXLINELEN-1-sizeof("set
bulldir=") 1010 bytes.
~/.qpopper-options
--------------
set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA
--------------
more info: http://mantra.freeweb.hu
Regards,
Marcell Fodor
