From owner-freebsd-security  Wed May 24 14:52:15 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9])
	by hub.freebsd.org (Postfix) with ESMTP id B2A7C37B6F8
	for <freebsd-security@FreeBSD.ORG>; Wed, 24 May 2000 14:52:03 -0700 (PDT)
	(envelope-from jer@jorsm.com)
Received: by mercury.jorsm.com (Postfix, from userid 1850)
	id 0B216E4A1B; Wed, 24 May 2000 16:52:02 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
	by mercury.jorsm.com (Postfix) with ESMTP
	id 00CECE0C01; Wed, 24 May 2000 16:52:01 -0500 (CDT)
Date: Wed, 24 May 2000 16:52:01 -0500 (CDT)
From: Jeremy Shaffner <jer@jorsm.com>
To: Dmitry Valdov <dv@dv.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: QPOPPER: Remote gid mail exploit
In-Reply-To: <Pine.BSF.3.95q.1000525014416.3965E-100000@xkis.kis.ru>
Message-ID: <Pine.BSF.4.21.0005241649220.7700-100000@mercury.jorsm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I don't see that happening here:

uidl 2
+OK 2 AAAAAAAAAAAAAA
euidl 2
+OK 2 AAAAAAAAAAAAAA 481 %p%p%p%p%p%p%p%p@foo.domain.com

Without the patch you get the behavior described in the advisory:

+OK 2 AAAAAAAAAAAAAA 470
0xbfbfd0340x804fd640xbfbfd0340x1d60x8052e4e0xbfbfd86c0x
80570280x5@foo.domain.com


-Jeremy

On Thu, 25 May 2000, Dmitry Valdov wrote:

> Hi!
> 
> This patch doesn't work. popper exiting with sig11 when user send UIDL xxx
> command.
> 
> Dmitry.
> 
> 
> > 	Or you can manually patch it by doing the following: 
> > 
> > 	  At lines 152 and 62 from pop_uidl.c, replace:
> > 	- return (pop_msg (p,POP_SUCCESS, buffer));
> > 	  to:
> > 	+ return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> > 
> > 
> > Here is the resulting patch:
> > 
> > 
> > ---------8<--------
> > 
> > --- pop_uidl.c.orig     Wed May 24 15:58:53 2000
> > +++ pop_uidl.c  Wed May 24 16:21:56 2000
> > @@ -59,7 +59,7 @@
> >  
> >         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> >          if (nl = index(buffer, NEWLINE)) *nl = 0;
> > -       return (pop_msg (p,POP_SUCCESS, buffer));
> > +       return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> >        }
> >      } else {
> >         /* yes, we can do this */
> > @@ -149,7 +149,7 @@
> >         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> >          if (nl = index(buffer, NEWLINE)) *nl = 0;
> >         sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,
> > mp));
> > -       return (pop_msg (p,POP_SUCCESS, buffer));
> > +       return (pop_msg (p,POP_SUCCESS, "%s", buffer));
> >        }
> >      } else {
> >         /* yes, we can do this */
> > 
> > ------->8---------- 
> > 


---
Jeremy Shaffner
System Administrator
JORSM Internet
jer@jorsm.com
http://www.jorsm.com/~jer/pgp.key



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message