Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: More about UW c-client library
From: Juhapekka Tolvanen (juhtolvST.JYU.FI)
Date: Fri Sep 01 2000 - 16:18:14 CDT

Here is more information about that bug.


It seems, that they will have some patch real soon:


> Upon a quick glance, there indeed appears to be no checks at all
> for buffer overflows. A buf of 8k is allocated into which the
> From:, Status:, X-Status, and X-Keywords: headers are placed,
> with simple
> sprintf (buf + strlen (buf),"...
> commands. So having extremely long X-Keywords in mail messages
> will screw things up. Double yuck.
> This is in imap-4.7c/src/osdep/unix/unix.c BTW.
> See the original message and the accompanying thread in debian-devel,
> archive/latest/67244 , Message-ID <39AD820C.6AD0818Caxis.com> from
> Cristian Ionescu-Idbohrn <ciiaxis.com>

Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3). This
only the tip of the iceberg however. There is a source code scanner
called its4 which checks for unsafe coding practices and I ran it on
imapd. The report was about a mile long :(


Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * juhtolvst.jyu.fi
http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!"
"so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything" nine inch nails