Re: imap mailbox killer
On Thu, 31 Aug 2000, Paul Slootman wrote:
> On Thu 31 Aug 2000, Paul Slootman wrote:
> > Yuck. Smells like a serious buffer overflow somewhere.
> Upon a quick glance, there indeed appears to be no checks at all
> for buffer overflows. A buf of 8k is allocated into which the
> From:, Status:, X-Status, and X-Keywords: headers are placed,
> with simple
> sprintf (buf + strlen (buf),"...
> commands. So having extremely long X-Keywords in mail messages
> will screw things up. Double yuck.
> This is in imap-4.7c/src/osdep/unix/unix.c BTW.
> See the original message and the accompanying thread in debian-devel,
> archive/latest/67244 , Message-ID <39AD820C.6AD0818C@axis.com> from
> Cristian Ionescu-Idbohrn <email@example.com>
Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3). This is
only the tip of the iceberg however. There is a source code scanner
called its4 which checks for unsafe coding practices and I ran it on
imapd. The report was about a mile long :(
Oddly enough I read that message and wasn't affected even though I use
pine 4.21 and imapd.
Jaldhar H. Vyas <firstname.lastname@example.org>