[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: KSR[T] Advisory #7: filter
From: hurtta+zz () ozone ! FMI ! FI
Date: 1998-02-24 7:14:08
[Download RAW message or body]
KSR[T]:
> Affected Program: filter ( part of the elm-2.4 package )
<...>
> Notes: This was not a full audit on the elm2.4 package, or
> filter for that matter. At a glance, there appear
> to be numerous security problems.
>
> The filter included in elm-2.4ME+37 also appears to
> be vulnerable to the "save_embedded_address()" attack,
> but not to the "get_filter_rules()" attack.
>
> Filter will not be a part of elm 2.5, and is
> not supported in any way at this time. It is the
> Elm group's recommendation that filter not be used.
>
> Patch/Fix:
>
> -*- Begin elm 2.4 filter patch -*-
>
> diff -u filter/filter.c filter.new/filter.c
> --- filter/filter.c Tue Feb 4 09:13:02 1997
> +++ filter.new/filter.c Tue Feb 4 09:17:38 1997
> @@ -429,7 +429,7 @@
> **/
>
> static int processed_a_reply_to = 0;
> - char address[LONG_STRING];
> + char address[MAX_LINE_LEN + 1];
> register int i, j = 0;
Enlarging of address does causes just that then there is overflow in
strcpy(from,address);
(
char to[VERY_LONG_STRING],
from[LONG_STRING],
subject[LONG_STRING], /* from current message */
sender[LONG_STRING]; /* from current message */
)
Better fix loop in save_embedded_address (*).
(This overflow is not necessary exploitable.)
(in ME+ that strcpy is strfcpy(from,address,sizeof from) and therefore
bound checked.)
/ Kari Hurtta
(*) Look ME+ PL39 patch (http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz,
ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic