Re: imap mailbox killer

To: Paul Slootman <paul@murphy.nl>
Cc: 70647@debian.org, debian-devel@lists.debian.org
Subject: Re: imap mailbox killer
From: "Jaldhar H. Vyas" <jaldhar@debian.org>
Date: Thu, 31 Aug 2000 13:00:26 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.21.0008311235350.16037-100000@cancerous.braincells.com>
Reply-to: "Jaldhar H. Vyas" <jaldhar@debian.org>
In-reply-to: <20000831114104.B27381@murphy.nl>

On Thu, 31 Aug 2000, Paul Slootman wrote:

> On Thu 31 Aug 2000, Paul Slootman wrote:
> 
> > Yuck. Smells like a serious buffer overflow somewhere.
> 
> Upon a quick glance, there indeed appears to be no checks at all
> for buffer overflows. A buf of 8k is allocated into which the
> From:, Status:, X-Status, and X-Keywords: headers are placed,
> with simple 
> 
> 	sprintf (buf + strlen (buf),"...
> 
> commands. So having extremely long X-Keywords in mail messages
> will screw things up. Double yuck.
> 
> This is in imap-4.7c/src/osdep/unix/unix.c BTW.
> 
> See the original message and the accompanying thread in debian-devel,
> archive/latest/67244 , Message-ID <39AD820C.6AD0818C@axis.com> from
> Cristian Ionescu-Idbohrn <cii@axis.com>
> 

Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3).  This is
only the tip of the iceberg however.  There is a source code scanner
called its4 which checks for unsafe coding practices and I ran it on
imapd.  The report was about a mile long :(

Oddly enough I read that message and wasn't affected even though I use
pine 4.21 and imapd.

-- 
Jaldhar H. Vyas <jaldhar@debian.org>

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: imap mailbox killer
Next by Date: netscape 4.75 in security.debian.org is broken
Previous by thread: Re: imap mailbox killer
Next by thread: Re: imap mailbox killer
Index(es):
- Date
- Thread