Bugtraq mailing list archives
Re: KSR[T] Advisory #7: filter
From: hurtta+zz () ozone FMI FI (hurtta+zz () ozone FMI FI)
Date: Tue, 24 Feb 1998 09:14:08 +0200
KSR[T]:
Affected Program: filter ( part of the elm-2.4 package )
<...>
Notes: This was not a full audit on the elm2.4 package, or filter for that matter. At a glance, there appear to be numerous security problems. The filter included in elm-2.4ME+37 also appears to be vulnerable to the "save_embedded_address()" attack, but not to the "get_filter_rules()" attack. Filter will not be a part of elm 2.5, and is not supported in any way at this time. It is the Elm group's recommendation that filter not be used. Patch/Fix: -*- Begin elm 2.4 filter patch -*- diff -u filter/filter.c filter.new/filter.c --- filter/filter.c Tue Feb 4 09:13:02 1997 +++ filter.new/filter.c Tue Feb 4 09:17:38 1997 @@ -429,7 +429,7 @@ **/ static int processed_a_reply_to = 0; - char address[LONG_STRING]; + char address[MAX_LINE_LEN + 1]; register int i, j = 0;
Enlarging of address does causes just that then there is overflow in strcpy(from,address); ( char to[VERY_LONG_STRING], from[LONG_STRING], subject[LONG_STRING], /* from current message */ sender[LONG_STRING]; /* from current message */ ) Better fix loop in save_embedded_address (*). (This overflow is not necessary exploitable.) (in ME+ that strcpy is strfcpy(from,address,sizeof from) and therefore bound checked.) / Kari Hurtta (*) Look ME+ PL39 patch (http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz, ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz)
Current thread:
- Re: KSR[T] Advisory #7: filter hurtta+zz () ozone FMI FI (Feb 01)
- <Possible follow-ups>
- Re: KSR[T] Advisory #7: filter hurtta+zz () ozone FMI FI (Feb 23)