Re: patch for qpopper remote exploit bug

[andre () ML EE (Andres Kroonmaa)]

On 27 Jun 98, at 3:24, Roy Hooper <rhooper () CORP CYBERUS CA> wrote:

> This is a simple case of the author(s) of qpopper not using vsnprintf where
> they aught to have been.  I have confirmed that qpopper-2.41beta1 is indeed
> vulnerable to a remote exploit due to buffer overrun.  I have not actually
> tested the exploit, but have tested (and fixed) the buffer overrun in the
> copy of qpopper running here.
>
> The quick fix (for FreeBSD 2.2.2+, 3.0, and Solaris 2.6x86) is quite easy,
> as both have the vsnprintf function.  This patch is not guaranteed to solve
> the problem, but appears to do so.
>
> *** qpopper2.41beta1/pop_log.c Sat Jun 27 03:19:05 1998
> --- qpopper2.41beta1-broken/pop_log.c Sat Jun 27 03:18:37 1998
> ***************
> *** 47,53 ****
>   #endif
>
>   #ifdef HAVE_VPRINTF
> !         vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
>   #else

 Yeah, but what about systems that do _not_ have vsnprintf()?
 Using calls without bounds checks can be justified as long
 as it is made dead sure that no bounds would be ever exceeded.

 In current case, buffers overflow because qpopper accepts
 way too long commands. Easiest fix is to limit max command
 length at safer lower length during call to tgets()


----------------------------------------------------------------------
 Andres Kroonmaa                                mail: andre () online ee
 Network Manager
 Organization:            MicroLink Online       Tel:        6308 909
 Tallinn, Sakala 19                              Pho:  +372  6308 909
 Estonia, EE0001        http://www.online.ee     Fax:  +372  6308 901
----------------------------------------------------------------------