From owner-freebsd-security Sat Jun 27 12:04:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14735 for freebsd-security-outgoing; Sat, 27 Jun 1998 12:04:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14730 for ; Sat, 27 Jun 1998 12:04:43 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (liberty.infowest.com [207.49.60.254]) by infowest.com (8.8.8/8.8.8) with ESMTP id NAA23938 for ; Sat, 27 Jun 1998 13:04:12 -0600 (MDT) Message-ID: <35954222.F20D2144@infowest.com> Date: Sat, 27 Jun 1998 13:04:02 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.6-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT References: <35951273.6488@kharkiv.net> <19980627133614.42227@mcs.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sat, Jun 27, 1998 at 06:40:35PM +0300, Vadim V. Chepkov wrote: > > Jordan K. Hubbard wrote: > > > > > > > > > I've already committed a slightly more intelligent fix to this > > > problem. Thanks! > > > > > > > But it doesn't work > > <> Does the patch to pop_msg.c take into account that a "(void)strcat(message, "\r\n"); call appears later on and adds 2 more chars to the message buffer? I haven't seen JKH's patch yet, but I noticed that some of the patches posted to BUGTRAQ miss this. The result is that the perl trick still crashes popper, but the crash occurs on the strcat() call and not where the old vsprintf() call was. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message