Re: serious Qpopper 3.0 vulnerability

[ehl () FUNGHI COM (Elgin Lee)]

I believe that the sample quick fix has a bug/typo.  The intent (I think) is
to use snprintf() and vsnprintf(), but the patch changes the sprintf's
to snprintf calling conventions (length bound as second argument) while
keeping the name as sprintf.  That presumably has awful results as
sprintf treats MAXLINELEN - 100 as a format string.

By the way, Nessus 0.91.1 identifies the vulnerability.  I ran into
this problem late last Friday and alerted the qpopper maintainers.

--Elgin

On Tue, Nov 30, 1999 at 01:53:11AM +0100, Mixter wrote:
> # apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch
> --- pop_msg.c.old     Mon Nov 29 23:42:03 1999
> +++ pop_msg.c Mon Nov 29 23:52:08 1999
> @@ -65,7 +65,7 @@
>      /*  Append the message (formatted, if necessary) */
>      if (format) {
>  #ifdef HAVE_VPRINTF
> -        vsprintf(mp,format,ap);
> +        vsnprintf(mp,MAXLINELEN - 100, format,ap);
>  #else
>  # ifdef PYRAMID
>       arg1 = va_arg(ap, char *);
> @@ -74,9 +74,9 @@
>       arg4 = va_arg(ap, char *);
>       arg5 = va_arg(ap, char *);
>       arg6 = va_arg(ap, char *);
> -        (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
> +        (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5, arg6);
>  # else
> -        (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
> +        (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
>                     ((int *)ap)[3],((int *)ap)[4]);
>  # endif
>  #endif