Full Disclosure mailing list archives
RE: Sylpheed-claws format string bug, yet still sylpheed much better than windows
From: allan.vanleeuwen () orangemail nl
Date: Wed, 22 Oct 2003 17:16:29 +0200
Hmm ... I think I missed the part where you explain your subject line ? -----Original Message----- From: Georgi Guninski [mailto:guninski () guninski com] Sent: woensdag 22 oktober 2003 16:50 To: full-disclosure () lists netsys com Subject: [Full-disclosure] Sylpheed-claws format string bug, yet still sylpheed much better than windows Georgi Guninski security advisory #61, 2003 Sylpheed-claws format string bug, yet still sylpheed much better than windows Systems affected: Sylpheed-claws 0.9.6 - 0.9.4 Fixed in CVS Risk: Medium Date: 22 October 2003 Legal Notice: This Advisory is Copyright (c) 2003 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/sylph.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: There is an exploitable format string in sylpheed claws which may be exploited by malicous SMTP server. Details: The problem seems in: send_message.c alertpanel_error_log(err_msg); The format string is missing. How to reproduce: Create a test account with smtp server localhost:1234 Then do: perl -e 'print "535 failed %x%x%n\r\n"' | nc -l -p 1234 Then send a message. Actual result - sylpheed crashes. Vendor status: Notified on Fri, 3 Oct 2003 It was fixed in CVS on the same day. Fix: http://cvs.sourceforge.net/viewcvs.py/sylpheed-claws/sylpheed-claws/src/send _message.c?r1=1.18&r2=1.19&diff_format=u =================================================================== RCS file: /cvsroot/sylpheed-claws/sylpheed-claws/src/send_message.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- sylpheed-claws/sylpheed-claws/src/send_message.c 2003/09/27 21:01:26 1.18 +++ sylpheed-claws/sylpheed-claws/src/send_message.c 2003/10/03 17:39:39 1.19 @@ -608,7 +608,7 @@ if (log_msg) log_warning("%s\n", log_msg); if (err_msg) { - alertpanel_error_log(err_msg); + alertpanel_error_log("%s", err_msg); g_free(err_msg); } } Regards, Georgi Guninski http://www.guninski.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html =========================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.. The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email. =========================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Sylpheed-claws format string bug, yet still sylpheed much better than windows allan . vanleeuwen (Oct 22)