On Tue, 11 Mar 2003 19:05:51 -0800
Randall Gellens <rg_public.1 (at) flagg.qualcomm (dot) com [email concealed]> wrote:

> The first I heard of the problem was this morning. Was any notice
> sent to qpopper-bugs (at) qualcomm (dot) com [email concealed] or qpopper-patches (at) qualcomm (dot) com [email concealed] in
> advance of the posting here? If so, please let me know the details
> so I can see what happened to the message. If not, I'd like to know
> why.
>
> A fixed Qpopper (version 4.0.5fc2) is available now at
> <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>. I plan on
> releasing 4.0.5 final tomorrow unless I hear of any problems with
> 4.0.5fc2.
>
> --
> Randall Gellens
> rg_public.1 (at) flagg.qualcomm (dot) com [email concealed]
> Opinions are personal; facts are suspect; I speak for myself only

Hello,

Yesterday(2003-03-12) I've sent the following email to qpopper-bugs (at) qualcomm (dot) com [email concealed]:

------------------------------ snip ---------------------------------------
Dear Sir or Madam,

Florian Heinz posted an exploit to gain shell access through qpopper.
See http://nstx.dereference.de/snippets/qex.c.
The reason is an unterminated bufferstring in Qvsnprintf.

I looked at version 4.05fc2 and there is a change, but i think that
change isn't correct.

/* From File common/snprintf.c */
if ( nSize == 0 && *p != '\0' )
{
*s = '\0';
return -1;
}
else
return ( (n-1) - nSize );

/* when string that should be written to the buffer fits exactly,
* than there will no Zero-Byte be written to buffer, cause the for
* loop terminates when nSize is 0 and the terminating '\0' of p is not
* copied to buffer ;-(
*/

Ithink, it should be written as :

if ( nSize || *p=='\0')
{
*s++ = *p;
return ( (n-1) - nSize );
}
else{
*s++ = '\0';
return -1;
}

Please excuse my bad english.

regards

Harald Hellmuth
------------------------------ snap ---------------------------------------

with best regards

--

Harald Hellmuth
E-Mail: hh (at) hostserver (dot) de [email concealed]

[ reply ]