From owner-freebsd-ports  Fri Apr 21  7: 1:25 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
	by hub.freebsd.org (Postfix) with ESMTP id C511937B8BE
	for <ports@FreeBSD.org>; Fri, 21 Apr 2000 07:01:20 -0700 (PDT)
	(envelope-from 3APA3A@SECURITY.NNOV.RU)
Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id RAA79462; Fri, 21 Apr 2000 17:57:32 +0400 (MSD)
Date: Fri, 21 Apr 2000 17:57:35 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
X-Mailer: The Bat! (v1.41)
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Organization: http://www.security.nnov.ru
X-Priority: 3 (Normal)
Message-ID: <3748.000421@SECURITY.NNOV.RU>
To: sendmail-bugs@sendmail.org, ports@FreeBSD.org
Subject: unsafe fgets() using in mail.local
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello,

Topic:                  unsafe fgets() using in mail.local

Software affected:      mail.local from FreeBSD and sendmail
                        distribution.

Description:            malicious  user  can  corrupt  user's mailbox
                        causing user to loose email message.


Background:

In  unix  systems  e-mail  delivered  to user is usually stored in his
mailbox,  which  has  predefined  format  (so-called "unix mailbox" or
"berkley  mailbox").  This  mailbox  holds  messages  in  plain format
separated  by  empty  line ("\n") and specially formed "From " header.
The pattern of the next message in mailbox is "\n\nForm ".
Then  local mail programs (f.e. mail.local) delivers message to user's
mailbox   it  searches  for  this  pattern and if message contains one
"From   "   will  be  commented out by '>' and additional '\n' will be
added  to  message  if  necessary.  This assumes mailbox integrity and
protects from e-mail spoofing.

Problem description:

Then  parsing  incoming email mail.local uses fgets() call with buffer
size  2048.  If  the  last  line  of the message is exactly 2048 bytes
fgets()  will  return  2 string and the last one will be "\n". In this
case  mail.local  will not add '\n' character to the end of email, and
the  next  message in unix (berkley) mailbox (if there is one) will be
"glued"  to  this  one. Specially crafting e-mail message attacker can
cause user to loose one message which comes after attacker's one.

http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message