[16515] in bugtraq
More about UW c-client library
daemon@ATHENA.MIT.EDU (Juhapekka Tolvanen)
Sat Sep 2 14:01:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-Id: <20000902001814.A29927@verso.st.jyu.fi>
Date: Sat, 2 Sep 2000 00:18:14 +0300
Reply-To: Juhapekka Tolvanen <juhtolv@ST.JYU.FI>
From: Juhapekka Tolvanen <juhtolv@ST.JYU.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Here is more information about that bug.
http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=70647
It seems, that they will have some patch real soon:
(CLIP HERE)
> Upon a quick glance, there indeed appears to be no checks at all
> for buffer overflows. A buf of 8k is allocated into which the
> From:, Status:, X-Status, and X-Keywords: headers are placed,
> with simple
>
> sprintf (buf + strlen (buf),"...
>
> commands. So having extremely long X-Keywords in mail messages
> will screw things up. Double yuck.
>
> This is in imap-4.7c/src/osdep/unix/unix.c BTW.
>
> See the original message and the accompanying thread in debian-devel,
> archive/latest/67244 , Message-ID <39AD820C.6AD0818C@axis.com> from
> Cristian Ionescu-Idbohrn <cii@axis.com>
>
Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3). This
is
only the tip of the iceberg however. There is a source code scanner
called its4 which checks for unsafe coding practices and I ran it on
imapd. The report was about a mile long :(
(CLIP HERE)
--
Juhapekka "naula" Tolvanen * * * U of Jyvdskyld * * juhtolv@st.jyu.fi
http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!"
---------------------------------------------------------------------
"so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything" nine inch nails
