From owner-freebsd-security Sat Jun 27 17:51:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA26365 for freebsd-security-outgoing; Sat, 27 Jun 1998 17:51:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA26337 for ; Sat, 27 Jun 1998 17:51:08 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id TAA04771 for freebsd-security@freebsd.org; Sat, 27 Jun 1998 19:51:09 -0500 (CDT) From: Igor Roshchin Message-Id: <199806280051.TAA04771@alecto.physics.uiuc.edu> Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT (fwd) To: freebsd-security@FreeBSD.ORG Date: Sat, 27 Jun 1998 19:51:08 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Forwarded message from Igor Roshchin ----- > > > THere seems to be yet another similar buffer overflow > > > in pop_log.c > > > > Fixed. Please cvsup the latest ports collection and make sure > > that ports/mail/popper is updated - all the new patches are in > > ports/mail/popper/patches/patch-ag. > > > > - Jordan > > > > Jordan, > > I've just downloaded "popper" directory from > ftp://ftp.freebsd.org/.25/FreeBSD/FreeBSD-current/ports/mail > It is still missing patch for the "UIDL" problem > (pop_dropcopy.c) > > Several people had suggestion looking like: > if (strlen(cp) >= 128) cp[127] = 0; > > before the line 497 as it appears in that file after patch-ad is applied. > (originally, I believe, before 459 ) > > May be I am missing something, but I don't think that patch-ad, which is > so far the only patch realted to pop_dropcopy.c addressed this problem > > Regards, > > IgoR > Some more on this issue: I've update popper from 2.4b2. With the patches applied, popper 2.41beta1 (on a 2.2.5-RELEASE) dumps core just on any connection. Am I missing something ? alecto: [19:25] [471] ~>telnet mailhost.somedomain.com pop3 escape character is '^Y'. Trying 209.125.17.11... Connected to mailhost.somedomain.com. Escape character is '^Y'. Connection closed by foreign host. alecto: [19:25] [472] ~>l /tmp/STRING -rw------- 1 igor group 48406 Jun 27 02:44 /tmp/STRING Jun 27 20:25:40 mailhost /kernel: pid 13587 (popper), uid 0: exited on signal 11 (core dumped) IgoR ----- End of forwarded message from Igor Roshchin ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message