[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#352482: [Debian-audit] Re: Bug#352482: metamail: crashes with very long boundaries in messages

On Mon, Feb 13, 2006 at 12:45:46PM +0100, Ulf Harnhammar wrote:
> > How is this not [potentially] exploitable?
> 
> Well, because of the error message that it prints, and because of 
> the way things look in gdb (if I remember correctly, it crashes in
> strtok() or some similar function).  I've been taught that this
> signifies not being exploitable, but I may be wrong.

In my quick test with 2.7-50 from sid, it's the safety checks
in _int_free() that abort the process.

> What do the others in the Debian Security Audit Project think about
> this?

| From: <metaur@localhost>
| To: <metaur@localhost>
| Subject: metamail crash bug
| 
| *** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
| Aborted
| metaur@metaur:~$

This may in fact be exploitable. The error indicates that a 
malloc chunk header has been corrupted. Depending on the exact
circumstances - the version of glibc and the order of memory
allocations/frees in metamail - this may (or may not) be possible
to use for writing to arbitrary memory locations. Without having
looked at it in detail, I would consider this bug exploitable
unless it's proven not to be.

cheers,
Max
Reply to: