From owner-freebsd-security Wed May 24 15: 0:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from xkis.kis.ru (xkis.kis.ru [195.98.32.200]) by hub.freebsd.org (Postfix) with ESMTP id C55E937B6CD for ; Wed, 24 May 2000 15:00:43 -0700 (PDT) (envelope-from dv@dv.ru) Received: from localhost (dv@localhost) by xkis.kis.ru (8.9.3/8.9.3) with SMTP id CAA05264; Thu, 25 May 2000 02:00:36 +0400 (MSD) Date: Thu, 25 May 2000 02:00:34 +0400 (MSD) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: Jeremy Shaffner Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! oops, sorry. My fault. I've inserted "%s" before PO_SUCCESS, not before "buffer". Sorry again. Dmitry. On Wed, 24 May 2000, Jeremy Shaffner wrote: > Date: Wed, 24 May 2000 16:52:01 -0500 (CDT) > From: Jeremy Shaffner > To: Dmitry Valdov > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: QPOPPER: Remote gid mail exploit > > > I don't see that happening here: > > uidl 2 > +OK 2 AAAAAAAAAAAAAA > euidl 2 > +OK 2 AAAAAAAAAAAAAA 481 %p%p%p%p%p%p%p%p@foo.domain.com > > Without the patch you get the behavior described in the advisory: > > +OK 2 AAAAAAAAAAAAAA 470 > 0xbfbfd0340x804fd640xbfbfd0340x1d60x8052e4e0xbfbfd86c0x > 80570280x5@foo.domain.com > > > -Jeremy > > On Thu, 25 May 2000, Dmitry Valdov wrote: > > > Hi! > > > > This patch doesn't work. popper exiting with sig11 when user send UIDL xxx > > command. > > > > Dmitry. > > > > > > > Or you can manually patch it by doing the following: > > > > > > At lines 152 and 62 from pop_uidl.c, replace: > > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > > to: > > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > > > > > > > Here is the resulting patch: > > > > > > > > > ---------8<-------- > > > > > > --- pop_uidl.c.orig Wed May 24 15:58:53 2000 > > > +++ pop_uidl.c Wed May 24 16:21:56 2000 > > > @@ -59,7 +59,7 @@ > > > > > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > > > if (nl = index(buffer, NEWLINE)) *nl = 0; > > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > } > > > } else { > > > /* yes, we can do this */ > > > @@ -149,7 +149,7 @@ > > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > > > if (nl = index(buffer, NEWLINE)) *nl = 0; > > > sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, > > > mp)); > > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > } > > > } else { > > > /* yes, we can do this */ > > > > > > ------->8---------- > > > > > > --- > Jeremy Shaffner > System Administrator > JORSM Internet > jer@jorsm.com > http://www.jorsm.com/~jer/pgp.key > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message