Re: KSR[T] Advisory #7: filter

hurtta+zz@ozone.FMI.FI
Tue, 24 Feb 1998 09:14:08 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Guido van Rooij: "Re: FreeBSD getpass "feature""
Previous message: Andrea Arcangeli: "disable_dma() locks my motherboard... another hw bug!"

KSR[T]:
> Affected Program: filter ( part of the elm-2.4 package )
<...>
> Notes: This was not a full audit on the elm2.4 package, or
> filter for that matter. At a glance, there appear
> to be numerous security problems.
>
> The filter included in elm-2.4ME+37 also appears to
> be vulnerable to the "save_embedded_address()" attack,
> but not to the "get_filter_rules()" attack.
>
> Filter will not be a part of elm 2.5, and is
> not supported in any way at this time. It is the
> Elm group's recommendation that filter not be used.
>
> Patch/Fix:
>
> -*- Begin elm 2.4 filter patch -*-
>
> diff -u filter/filter.c filter.new/filter.c
> --- filter/filter.c Tue Feb 4 09:13:02 1997
> +++ filter.new/filter.c Tue Feb 4 09:17:38 1997
> @@ -429,7 +429,7 @@
> **/
>
> static int processed_a_reply_to = 0;
> - char address[LONG_STRING];
> + char address[MAX_LINE_LEN + 1];
> register int i, j = 0;

Enlarging of address does causes just that then there is overflow in

strcpy(from,address);

(
char to[VERY_LONG_STRING],
from[LONG_STRING],
subject[LONG_STRING], /* from current message */
sender[LONG_STRING]; /* from current message */
)

Better fix loop in save_embedded_address (*).
(This overflow is not necessary exploitable.)

(in ME+ that strcpy is strfcpy(from,address,sizeof from) and therefore
bound checked.)

/ Kari Hurtta

(*) Look ME+ PL39 patch (http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz,
ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz)

Next message: Guido van Rooij: "Re: FreeBSD getpass "feature""
Previous message: Andrea Arcangeli: "disable_dma() locks my motherboard... another hw bug!"