Bug#352482: metamail: crashes with very long boundaries in messages

To: Ulf Harnhammar <metaur@operamail.com>, 352482@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#352482: metamail: crashes with very long boundaries in messages
From: Justin Pryzby <justinpryzby@users.sourceforge.net>
Date: Sun, 12 Feb 2006 11:20:05 -0500
Message-id: <[🔎] 20060212162005.GK31125@andromeda>
Reply-to: Justin Pryzby <justinpryzby@users.sourceforge.net>, 352482@bugs.debian.org
In-reply-to: <[🔎] 20060212093454.BD2087B528@ws5-10.us4.outblaze.com>
References: <[🔎] 20060212093454.BD2087B528@ws5-10.us4.outblaze.com>

tag 352482 security
thanks

On Sun, Feb 12, 2006 at 10:34:54AM +0100, Ulf Harnhammar wrote:
> Subject: metamail: crashes with very long boundaries in messages
> Package: metamail
> Version: 2.7-50
BTW, what is in ./metamail, rather than ./src/metamail/??

Is it a different source version??  It has, instead, on line 447:

	LineBuf = malloc(LINE_BUF_SIZE);
	if (!LineBuf) ExitWithError(nomem);
	sprintf(LineBuf, "--%s", boundary);

> I have found that metamail crashes when processing messages with
> very long boundaries. They cause a buffer overflow, which doesn't
> seem to be exploitable:
How is this not [potentially] exploitable?

Justin

Reply to:

Follow-Ups:
- Processed: Re: Bug#352482: metamail: crashes with very long boundaries in messages
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#352482: metamail: crashes with very long boundaries in messages
  - From: "Ulf Harnhammar" <metaur@operamail.com>

Prev by Date: Bug#342815: About problems in kernel 2.4
Next by Date: Processed: Re: Bug#352482: metamail: crashes with very long boundaries in messages
Previous by thread: Bug#352482: metamail: crashes with very long boundaries in messages
Next by thread: Processed: Re: Bug#352482: metamail: crashes with very long boundaries in messages
Index(es):
- Date
- Thread