Bug#352482: [Debian-audit] Re: Bug#352482: metamail: crashes with very long boundaries in messages
On Mon, Feb 13, 2006 at 12:45:46PM +0100, Ulf Harnhammar wrote:
> > How is this not [potentially] exploitable?
>
> Well, because of the error message that it prints, and because of
> the way things look in gdb (if I remember correctly, it crashes in
> strtok() or some similar function). I've been taught that this
> signifies not being exploitable, but I may be wrong.
In my quick test with 2.7-50 from sid, it's the safety checks
in _int_free() that abort the process.
> What do the others in the Debian Security Audit Project think about
> this?
| From: <metaur@localhost>
| To: <metaur@localhost>
| Subject: metamail crash bug
|
| *** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
| Aborted
| metaur@metaur:~$
This may in fact be exploitable. The error indicates that a
malloc chunk header has been corrupted. Depending on the exact
circumstances - the version of glibc and the order of memory
allocations/frees in metamail - this may (or may not) be possible
to use for writing to arbitrary memory locations. Without having
looked at it in detail, I would consider this bug exploitable
unless it's proven not to be.
cheers,
Max
Reply to: