|
|
QPopper 4.0.4 buffer overflow: msg#00397security.bugtraq
Affected versions 4.0.3 and 4.0.4. default install. Servers, not processing user`s configuration file (~/.qpopper-options) are insensible to this bug. pop_bull.c ----------- int CopyOneBull ( POP *p, long bnum, char *name ) { FILE *bull; char buffer [ MAXMSGLINELEN ]; BOOL in_header = TRUE; BOOL first_line = TRUE; int nchar; int msg_num; int msg_vis_num = 0; int msg_ends_in_nl = 0; char bullName [ 256 ]; MsgInfoList *mp; . . . sprintf ( bullName, "%s/%s", p->bulldir, name ); ------------ The bullNmae buffer is 256 bytes long, but in the user`s config file you can define it up to MAXLINELEN-1-sizeof("set bulldir=") 1010 bytes. ~/.qpopper-options -------------- set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA -------------- more info: http://mantra.freeweb.hu Regards, Marcell Fodor |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Response to KF about Listar/Ecartis Vulnerability: 00397, Trish Lynch |
|---|---|
| Next by Date: | More Office XP problems (version 3.0): 00397, Georgi Guninski |
| Previous by Thread: | Response to KF about Listar/Ecartis Vulnerabilityi: 00397, Trish Lynch |
| Next by Thread: | More Office XP problems (version 3.0): 00397, Georgi Guninski |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |