Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: QPOPPER problem....

Re: QPOPPER problem....

Bruno Lopes F. Cabral (brunoOPENLINE.COM.BR)
Sat, 27 Jun 1998 20:18:47 -0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Miquel van Smoorenburg: "patch: qpopper (plugs another hole too)"
Previous message: Theo de Raadt: "Re: patch for qpopper remote exploit bug"
In reply to: Bruno Lopes F. Cabral: "Re: QPOPPER problem...."
Next in thread: Marco S Hyman: "Re: QPOPPER problem...."

Hi there.

as there was an error on the patch I took, there is a new one with
this simple change

+        vsnprintf(mp,sizeof(message) - strlen(mp) -1,format,ap);

becomes

+        vsnprintf(mp,sizeof(message) - (mp-message)- 3, format,ap);

grab the new rpm, if you wish, from the same location

ftp://ftp.openline.com.br/mirror/contrib/qpopper-2.4-3.src.rpm

!3runo

P.S. here is the _corrected_ patch and remember this is only tested
on linux. Qpopper 2.4 uses GNU autoconf and the necessary steps to
modify it to search for vsnprintf are beiond my knowledge

diff -uNr qpopper2.4-orig/pop_dropcopy.c qpopper2.4/pop_dropcopy.c
--- qpopper2.4-orig/pop_dropcopy.c      Fri Sep 12 17:23:02 1997
+++ qpopper2.4/pop_dropcopy.c   Sat Jun 27 14:41:01 1998
 -457,6 +457,9 
                    } else
                        cp = "";

+                   /* Make UIDL not longer then 128 chars, we use it
+                      in sprintf() later on */
+                   if (strlen(cp) >= 128) cp[127] = 0;
                    mp->uidl_str = (char *)strdup(cp);
                    mp->length += nchar + 1;
                    p->drop_size += nchar + 1;
diff -uNr qpopper2.4-orig/pop_log.c qpopper2.4/pop_log.c
--- qpopper2.4-orig/pop_log.c   Thu Sep 11 21:21:21 1997
+++ qpopper2.4/pop_log.c        Sat Jun 27 14:41:57 1998
 -47,7 +47,7 
 #endif

 #ifdef HAVE_VPRINTF
-        vsprintf(msgbuf,format,ap);
+        vsnprintf(msgbuf,sizeof(msgbuf),format,ap);
 #else
 # ifdef PYRAMID
         (void)sprintf(msgbuf,format, arg1, arg2, arg3, arg4, arg5, arg6);
 -67,6 +67,8 
         (void)fflush(p->trace);
     }
     else {
+        /* Protect syslog from too long messages */
+        if (strlen(msgbuf) >= 512) msgbuf[511] = 0;
         syslog (stat,"%s",msgbuf);
     }

diff -uNr qpopper2.4-orig/pop_msg.c qpopper2.4/pop_msg.c
--- qpopper2.4-orig/pop_msg.c   Thu Sep 11 21:21:41 1997
+++ qpopper2.4/pop_msg.c        Sat Jun 27 14:42:42 1998
 -63,7 +63,7 
     /*  Append the message (formatted, if necessary) */
     if (format)
 #ifdef HAVE_VPRINTF
-        vsprintf(mp,format,ap);
+        vsnprintf(mp,sizeof(message) - (mp-message)- 3, format,ap);
 #else
 # ifdef PYRAMID
         (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);

Next message: Miquel van Smoorenburg: "patch: qpopper (plugs another hole too)"
Previous message: Theo de Raadt: "Re: patch for qpopper remote exploit bug"
In reply to: Bruno Lopes F. Cabral: "Re: QPOPPER problem...."
Next in thread: Marco S Hyman: "Re: QPOPPER problem...."