[7494] in bugtraq
Re: One of the Outlook overflows
daemon@ATHENA.MIT.EDU (Phillip R. Jaenke)
Thu Jul 30 15:49:31 1998
Date: Wed, 29 Jul 1998 23:26:22 -0400
Reply-To: "Phillip R. Jaenke" <prj@NLS.NET>
From: "Phillip R. Jaenke" <prj@NLS.NET>
X-To: Ryan Veety <root@RYANSPC.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.00.9807291607570.1973-100000@RyansPC.com>
On Wed, 29 Jul 1998, Ryan Veety wrote:
> There have been a few posts about overflows in MS Outlook, but they have
> not told exactly where in the message the overflow exists. I have found
> one of them, within the description of an attachment. If the filename
> given is very large, it makes Outlook crash. I tried this on Outlook
> v4.72.2106.4 on NT 4.0, and on win95. In both cases it reported an error
> at address 0x41414141 (41 == hex A). Here is the message that caused the
> errors:
Also confirmed to break popclient, presumably fetchpop. They apparently
parse the headers completely when writing to a file (-o option).
Basically, popclient/fetchpop, when outputting, parse ALL headers. No
matter WHERE they are. Example;
From: Bob Dobbs <thealmighty@subgenius.com>
To: popclient luser <luser@pop.luser.com>
Subject: haha.
lalalalaaaa... alalalalaaa
RandomHeader: AAAAAAAAAAAAAAA<etc, etc>
popclient/fetchpop will parse this incorrectly, resulting in an attempt to
delete a message which does not exit. popclient will then segfault. Pine
appears to have no problems with headers in messages tho.
--Phillip R. Jaenke (prj@nls.net - InterNIC: PRJ5)
TheGuyInCharge(tm), Ketyra Designs, Inc.
"That's IT! I'm gonna slap Dr.Watson with a malpractice suit!!" --Keihra
ObBob! KHpB lWulH EO m23 C(PEW) B-18 OlO LM(p) ScjnM T++ A9! H8oc b123 D+
! I reserve the right to bill spammers for my time and disk space !
