Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 May 2000 16:52:01 -0500 (CDT)
From:      Jeremy Shaffner <jer@jorsm.com>
To:        Dmitry Valdov <dv@dv.ru>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: QPOPPER: Remote gid mail exploit
Message-ID:  <Pine.BSF.4.21.0005241649220.7700-100000@mercury.jorsm.com>
In-Reply-To: <Pine.BSF.3.95q.1000525014416.3965E-100000@xkis.kis.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

I don't see that happening here:

uidl 2
+OK 2 AAAAAAAAAAAAAA
euidl 2
+OK 2 AAAAAAAAAAAAAA 481 %p%p%p%p%p%p%p%p@foo.domain.com

Without the patch you get the behavior described in the advisory:

+OK 2 AAAAAAAAAAAAAA 470
0xbfbfd0340x804fd640xbfbfd0340x1d60x8052e4e0xbfbfd86c0x
80570280x5@foo.domain.com


-Jeremy

On Thu, 25 May 2000, Dmitry Valdov wrote:

> Hi!
> 
> This patch doesn't work. popper exiting with sig11 when user send UIDL xxx
> command.
> 
> Dmitry.
> 
> 
> > 	Or you can manually patch it by doing the following: 
> > 
> > 	  At lines 152 and 62 from pop_uidl.c, replace:
> > 	- return (pop_msg (p,POP_SUCCESS, buffer));
> > 	  to:
> > 	+ return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> > 
> > 
> > Here is the resulting patch:
> > 
> > 
> > ---------8<--------
> > 
> > --- pop_uidl.c.orig     Wed May 24 15:58:53 2000
> > +++ pop_uidl.c  Wed May 24 16:21:56 2000
> > @@ -59,7 +59,7 @@
> >  
> >         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> >          if (nl = index(buffer, NEWLINE)) *nl = 0;
> > -       return (pop_msg (p,POP_SUCCESS, buffer));
> > +       return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> >        }
> >      } else {
> >         /* yes, we can do this */
> > @@ -149,7 +149,7 @@
> >         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> >          if (nl = index(buffer, NEWLINE)) *nl = 0;
> >         sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,
> > mp));
> > -       return (pop_msg (p,POP_SUCCESS, buffer));
> > +       return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> >        }
> >      } else {
> >         /* yes, we can do this */
> > 
> > ------->8---------- 
> > 


---
Jeremy Shaffner
System Administrator
JORSM Internet
jer@jorsm.com
http://www.jorsm.com/~jer/pgp.key



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005241649220.7700-100000>