Date: Tue, 23 Oct 2001 16:38:05 +1000 From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: ports@FreeBSD.ORG Cc: ache@FreeBSD.ORG Subject: munpack from converters/mpack heap overflow vuln Message-ID: <20011023163805.A23527@mango.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help
Hi
munpack, part of CMU mpack version 1.5 which is in ports/converters/mpack
contains a heap buffer overflow vulnerability in the header parsing code.
The functions getParam() and getDispositionFilename() attempt to resize
a buffer dynamically when they get full, but after being enlarged once
by a call to realloc(), a bug causes the code to never enlarge them again.
(These functions are in mpack/src/decode.c)
If a malicious person could cause someone to extract attachments from a
malformed message with munpack, security could be compromised.
I don't think mpack is a very popular software package these days, but
I have found it useful. A patch to decode.c follows this message which
fixes this problem.
Tim
--- decode.c.old Tue Oct 23 16:14:53 2001
+++ decode.c Tue Oct 23 16:16:22 2001
@@ -468,6 +468,7 @@
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
to = value + alloced - left - 2;
+ left = alloced - 1;
}
if (*from == '\\') {
from++;
@@ -484,6 +485,7 @@
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
to = value + alloced - left - 2;
+ left = alloced - 1;
}
*to++ = *from++;
}
@@ -573,6 +575,7 @@
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
to = value + alloced - left - 2;
+ left = alloced - 1;
}
if (*disposition == '\\') {
disposition++;
@@ -590,6 +593,7 @@
alloced += VALUEGROWSIZE;
value = xrealloc(value, alloced);
to = value + alloced - left - 2;
+ left = alloced - 1;
}
*to++ = *disposition++;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011023163805.A23527>