Re: KSR[T] Advisory #7: filter

[hurtta+zz () ozone FMI FI (hurtta+zz () ozone FMI FI)]

KSR[T]:
> Affected Program:    filter ( part of the elm-2.4 package )
<...>
> Notes:               This was not a full audit on the elm2.4 package, or
>                      filter for that matter.  At a glance, there appear
>                      to be numerous security problems.
>
>                      The filter included in elm-2.4ME+37 also appears to
>                      be vulnerable to the "save_embedded_address()" attack,
>                      but not to the "get_filter_rules()" attack.
>
>                      Filter will not be a part of elm 2.5, and is
>                      not supported in any way at this time.  It is the
>                      Elm group's recommendation that filter not be used.
>
> Patch/Fix:
>
> -*- Begin elm 2.4 filter patch -*-
>
> diff -u filter/filter.c filter.new/filter.c
> --- filter/filter.c     Tue Feb  4 09:13:02 1997
> +++ filter.new/filter.c Tue Feb  4 09:17:38 1997
> @@ -429,7 +429,7 @@
>         **/
>
>         static int processed_a_reply_to = 0;
> -       char address[LONG_STRING];
> +       char address[MAX_LINE_LEN + 1];
>         register int i, j = 0;

Enlarging of address does causes just that then there is overflow in

        strcpy(from,address);

(
char to[VERY_LONG_STRING],
     from[LONG_STRING],
     subject[LONG_STRING],              /* from current message     */
     sender[LONG_STRING];               /* from current message     */
)

Better fix loop in save_embedded_address (*).
(This overflow is not necessary exploitable.)

(in ME+ that strcpy is strfcpy(from,address,sizeof from) and therefore
 bound checked.)

/ Kari Hurtta

(*) Look ME+ PL39 patch (http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz,
    ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz)