From owner-freebsd-security  Wed Jul 29 23:55:52 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA15611
          for freebsd-security-outgoing; Wed, 29 Jul 1998 23:55:52 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA15587
          for <freebsd-security@FreeBSD.ORG>; Wed, 29 Jul 1998 23:55:47 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA06998;
	Thu, 30 Jul 1998 18:39:09 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Thu, 30 Jul 1998 18:39:09 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Gregory Sutter <gsutter@pobox.com>
cc: Brett Glass <brett@lariat.org>, freebsd-security@FreeBSD.ORG
Subject: Re: procmail workaround for MIME filename overflow exploit
In-Reply-To: <19980729145556.C16073@notabene.zer0.org>
Message-ID: <Pine.BSF.3.96.980730183022.5793B-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 29 Jul 1998, Gregory Sutter wrote:

> John's recipe has the same problem as Andrew McNaughton's proposed
> solution -- it invokes perl.  That's a lot of overhead to process a
> mail message, when procmail can do it just fine.  Out of several
> recipes suggested on the procmail mailing list, David Tamkin's is the
> best:
> 
> :0fhw    # sixty-three dots in second condition 
> * ^Content-Disposition:(.*\>)?filename="\/[^"]+ 
> * MATCH ?? ^^\/............................................................... 
> | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" 
>  
> That recipe will truncate any filenames longer than 63 characters to 63
> chars.  If you wish to specially denote offending messages, you can 
> change the action line to:
> 
> | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" \
>           -i "X-Security-Modification: Truncated long filename"

If formail is substantially faster than perl to invoke then it's better,
but I prefer a test on the length of the entire header rather than just
the filename.  Do any of the vulnerable programs also make assumptions
about the length of the header as a whole?  Do any accept whitespace
around the '='.  What happens if there is no terminating '"'.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message