Bugtraq mailing list archives

Re: QPOPPER problem....

From: bruno () OPENLINE COM BR (Bruno Lopes F. Cabral)
Date: Sat, 27 Jun 1998 15:47:39 -0300


Hi there

Here is the proper join of Miquel van Smoorenburg and Roy Hooper
security patches applied to qpopper 2.4.

as I mantain the rpm version of pammified qpopper, you could grab everything
from ftp://ftp.openline.com.br/mirror/contrib/qpopper-2.4-2.src.rpm

!3runo

diff -uNr qpopper2.4-orig/pop_dropcopy.c qpopper2.4/pop_dropcopy.c
--- qpopper2.4-orig/pop_dropcopy.c      Fri Sep 12 17:23:02 1997
+++ qpopper2.4/pop_dropcopy.c   Sat Jun 27 14:41:01 1998
@@ -457,6 +457,9 @@
                    } else
                        cp = "";

+                   /* Make UIDL not longer then 128 chars, we use it
+                      in sprintf() later on */
+                   if (strlen(cp) >= 128) cp[127] = 0;
                    mp->uidl_str = (char *)strdup(cp);
                    mp->length += nchar + 1;
                    p->drop_size += nchar + 1;
diff -uNr qpopper2.4-orig/pop_log.c qpopper2.4/pop_log.c
--- qpopper2.4-orig/pop_log.c   Thu Sep 11 21:21:21 1997
+++ qpopper2.4/pop_log.c        Sat Jun 27 14:41:57 1998
@@ -47,7 +47,7 @@
 #endif

 #ifdef HAVE_VPRINTF
-        vsprintf(msgbuf,format,ap);
+        vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
 #else
 # ifdef PYRAMID
         (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
@@ -67,6 +67,8 @@
         (void)fflush(p->trace);
     }
     else {
+        /* Protect syslog from too long messages */
+        if (strlen(msgbuf) >= 512) msgbuf[511] = 0;
         syslog (stat,"%s",msgbuf);
     }

diff -uNr qpopper2.4-orig/pop_msg.c qpopper2.4/pop_msg.c
--- qpopper2.4-orig/pop_msg.c   Thu Sep 11 21:21:41 1997
+++ qpopper2.4/pop_msg.c        Sat Jun 27 14:42:42 1998
@@ -63,7 +63,7 @@
     /*  Append the message (formatted, if necessary) */
     if (format)
 #ifdef HAVE_VPRINTF
-        vsprintf(mp,format,ap);
+        vsnprintf(mp,sizeof(message) - strlen(mp) -1,format,ap);
 #else
 # ifdef PYRAMID
         (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);

Current thread:

patch for qpopper remote exploit bug, (continued)
- patch for qpopper remote exploit bug Roy Hooper (Jun 27)
  - Re: patch for qpopper remote exploit bug Andres Kroonmaa (Jun 27)
    - Re: patch for qpopper remote exploit bug Theo de Raadt (Jun 27)
    - Re: patch for qpopper remote exploit bug Jon Lusky (Jun 27)
    - Re: patch for qpopper remote exploit bug Benjamin J Stassart (Jun 27)
    - Users can view script source from Win WebServers Aleph One (Jun 27)
- Re: QPOPPER problem.... ONE crude patch... Tom Brown (Jun 27)
  - Re: QPOPPER problem.... ONE crude patch... Daniel Ryde (Jun 27)
    - Re: QPOPPER problem.... ONE crude patch... Marco S Hyman (Jun 27)
  - Re: QPOPPER problem.... Jason Ackley (Jun 27)
    - Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
    - patch: qpopper (plugs another hole too) Miquel van Smoorenburg (Jun 27)
    - Re: QPOPPER problem.... Marco S Hyman (Jun 27)
    - Re: QPOPPER problem.... Bruno Lopes F. Cabral (Jun 27)
    - More patch ideas for qpopper Aaron D. Gifford (Jun 27)
    - Re: QPOPPER problem.... Jeff Haas (Jun 27)
  - Re: QPOPPER problem.... ONE crude patch... Yiorgos Adamopoulos (Jun 27)
    - Re: QPOPPER problem.... ONE crude patch... Juan Diego Bolanhos Ramirez (Jun 27)
    - Re: QPOPPER problem.... ONE crude patch... Bryan (Jun 27)
- NetBSD Security Advisory 1998-004: at(1) vulnerabilities. security-alert () NETBSD ORG (Jun 27)
- Re: !!! FLASH TRAFFIC !!! QPOPPER REMOTE ROOT EXPLOIT Miquel van Smoorenburg (Jun 27)