Bugtraq mailing list archives
Re: serious Qpopper 3.0 vulnerability
From: ehl () FUNGHI COM (Elgin Lee)
Date: Tue, 30 Nov 1999 12:28:15 -0800
I believe that the sample quick fix has a bug/typo. The intent (I think) is to use snprintf() and vsnprintf(), but the patch changes the sprintf's to snprintf calling conventions (length bound as second argument) while keeping the name as sprintf. That presumably has awful results as sprintf treats MAXLINELEN - 100 as a format string. By the way, Nessus 0.91.1 identifies the vulnerability. I ran into this problem late last Friday and alerted the qpopper maintainers. --Elgin On Tue, Nov 30, 1999 at 01:53:11AM +0100, Mixter wrote:
# apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch --- pop_msg.c.old Mon Nov 29 23:42:03 1999 +++ pop_msg.c Mon Nov 29 23:52:08 1999 @@ -65,7 +65,7 @@ /* Append the message (formatted, if necessary) */ if (format) { #ifdef HAVE_VPRINTF - vsprintf(mp,format,ap); + vsnprintf(mp,MAXLINELEN - 100, format,ap); #else # ifdef PYRAMID arg1 = va_arg(ap, char *); @@ -74,9 +74,9 @@ arg4 = va_arg(ap, char *); arg5 = va_arg(ap, char *); arg6 = va_arg(ap, char *); - (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); + (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5, arg6); # else - (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2], + (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2], ((int *)ap)[3],((int *)ap)[4]); # endif #endif
Current thread:
- Re: serious Qpopper 3.0 vulnerability Josh Higham (Nov 30)
- Re: serious Qpopper 3.0 vulnerability M. Adam Kendall (Dec 01)
- <Possible follow-ups>
- Re: serious Qpopper 3.0 vulnerability Dan Groscost (Nov 30)
- Re: serious Qpopper 3.0 vulnerability Elgin Lee (Nov 30)
- Re: serious Qpopper 3.0 vulnerability Qpopper Support (Nov 30)