[prev in list] [next in list] [prev in thread] [next in thread]
List: vuln-dev
Subject: QPopper 4.0.4 buffer overflow
From: Marcell Fodor <m.fodor () mail ! datanet ! hu>
Date: 2002-04-28 19:24:51
[Download RAW message or body]
Affected versions 4.0.3 and 4.0.4. default install.
Servers, not processing user`s configuration file
(~/.qpopper-options) are insensible to this bug.
pop_bull.c
-----------
int
CopyOneBull ( POP *p, long bnum, char *name )
{
FILE *bull;
char buffer [ MAXMSGLINELEN ];
BOOL in_header = TRUE;
BOOL first_line = TRUE;
int nchar;
int msg_num;
int msg_vis_num = 0;
int msg_ends_in_nl = 0;
char bullName [ 256 ];
MsgInfoList *mp;
.
.
.
sprintf ( bullName, "%s/%s", p->bulldir, name );
------------
The bullNmae buffer is 256 bytes long, but in the user`s
config file you can define it up to MAXLINELEN-1-sizeof
("set bulldir=") 1010 bytes.
~/.qpopper-options
--------------
set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA
--------------
more info: http://mantra.freeweb.hu
Regards,
Marcell Fodor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic