Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit]

[trott () LIBRARY UCSF EDU (Richard Trott)]

Where these buffer overflows and "other uses of '%s'" that were
repaired only in qpopper 3.x?  Are those of us running 2.53 not affected?
Or do we need to upgrade?

Rich

On Wed, 1 Dec 1999, Qpopper Support wrote:

> All reported buffer overruns are fixed in qpopper3.0b22, which is
> available at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>.
>
> In addition, other users of '%s' were examined and limited applied to
> some which could theoretically cause a crash.
>
> >  Message-ID:  <Pine.LNX.4.10.9911301500310.26891-200000 () terra nebula org>
> >  Date:         Tue, 30 Nov 1999 15:25:25 -0500
> >  Reply-To: Lucid Solutions <lucid () TERRA NEBULA ORG>
> >  Sender: Bugtraq List <BUGTRAQ () SECURITYFOCUS COM>
> >  From: Lucid Solutions <lucid () TERRA NEBULA ORG>
> >  Subject:      qpop3.0b20 and below - notes and exploit
> >
> >     I found this overflow myself earlier this month.  Seems someone
> >  else recently found it before Qualcomm was able to issue a patch. The 2.x
> >  series is not vunlnerable because AUTH is not yet supported and the error
> >  returned by attempting to use AUTH does not call pop_msg() with any user
> >  input.
> >
> >     There is also another overflow besides the AUTH overflow which can
> >  occur if a valid username and password are first entered also occuring in
> >  pop_msg().
> >  pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20:
> >      pop_msg(p,POP_FAILURE,
> >              "Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand);