[6182] in bugtraq
Re: KSR[T] Advisory #7: filter
daemon@ATHENA.MIT.EDU (hurtta+zz@OZONE.FMI.FI)
Thu Feb 26 14:05:49 1998
Date: Tue, 24 Feb 1998 09:14:08 +0200
Reply-To: hurtta+elm@ozone.FMI.FI
From: hurtta+zz@OZONE.FMI.FI
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.980129052902.1111B-100000@ogbanje.dec.net> from
"KSR[T]" at "Jan 29, 98 05:29:22 am"
KSR[T]:
> Affected Program: filter ( part of the elm-2.4 package )
<...>
> Notes: This was not a full audit on the elm2.4 package, or
> filter for that matter. At a glance, there appear
> to be numerous security problems.
>
> The filter included in elm-2.4ME+37 also appears to
> be vulnerable to the "save_embedded_address()" attack,
> but not to the "get_filter_rules()" attack.
>
> Filter will not be a part of elm 2.5, and is
> not supported in any way at this time. It is the
> Elm group's recommendation that filter not be used.
>
> Patch/Fix:
>
> -*- Begin elm 2.4 filter patch -*-
>
> diff -u filter/filter.c filter.new/filter.c
> --- filter/filter.c Tue Feb 4 09:13:02 1997
> +++ filter.new/filter.c Tue Feb 4 09:17:38 1997
> @@ -429,7 +429,7 @@
> **/
>
> static int processed_a_reply_to = 0;
> - char address[LONG_STRING];
> + char address[MAX_LINE_LEN + 1];
> register int i, j = 0;
Enlarging of address does causes just that then there is overflow in
strcpy(from,address);
(
char to[VERY_LONG_STRING],
from[LONG_STRING],
subject[LONG_STRING], /* from current message */
sender[LONG_STRING]; /* from current message */
)
Better fix loop in save_embedded_address (*).
(This overflow is not necessary exploitable.)
(in ME+ that strcpy is strfcpy(from,address,sizeof from) and therefore
bound checked.)
/ Kari Hurtta
(*) Look ME+ PL39 patch (http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz,
ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz)
