Re: qpopper2.52

drowFALSE.ORG

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Aleph One: "ALERT: Microsoft IIS ASP - $DATA issue update"
• Previous message: Niels Bakker: "Re: Port 0 oddities"
• In reply to: Alan J Rosenthal: "qpopper2.52"

On Thu, Jul 02, 1998 at 12:51:50PM -0400, Alan J Rosenthal wrote:
> Are these limits in fact unnecessary, or have the qualcomm folks missed a few?
> (This file is the same in v2.52 -- got in this morning and started working on
> the 2.5 version before I saw last night's bugtraq mail... arggh)
>
> If these limits are indeed necessary, note that there's also a copy of this
> sprintf call on line 76.

Not to mention in pop_msg.c where this whole mess began.  The Qualcomm
folks have taken the approach of limiting the length of every string
passed to the dangerous functions, instead of bounds checking within
pop_log and pop_msg.  This is a dangerous thing to do in my opinion -
while they may indeed have caught every major problem, there could
possibly be unforseen circumstances where the strings passed to those
functions do get overlarge.  It would be a very reasonable safeguard to
add bounds checking to pop_log and pop_msg, and patches to do that have
already been posted to this list.

In fact, in the source code of 2.52 I see this:
[0] mars:~/qp/qpopper2.52$ grep sprintf *.c |wc -l
      34
By no means are all of these dangerous, but a slightly more useful
figure is:
[0] mars:~/qp/qpopper2.52$ grep sprintf *.c |grep '%s'|wc -l
      18

Eighteen places where strings are pushed into fixed length buffers.  If
they have missed even one....

Daniel Jacobowitz
---------------------------------------------------------------------------
drowfalse.org                                               dandebian.org

• Next message: Aleph One: "ALERT: Microsoft IIS ASP - $DATA issue update"
• Previous message: Niels Bakker: "Re: Port 0 oddities"
• In reply to: Alan J Rosenthal: "qpopper2.52"