Bugtraq mailing list archives
Re: patch for qpopper remote exploit bug
From: smw () alcor concordia ca (Steven Winikoff)
Date: Sun, 28 Jun 1998 13:48:54 -0400
I apologize for not replying directly to Bugtraq for the sake of proper threading, but I'm not actually subscribed, so I saw your message on the archive at http://geek-girl.com/bugtraq/. Anyhow, you said:
Digital Unix 3.2G does not seem to have either vsnprintf or snprintf.
Neither does 4.0B.
However, qpopper under Digital Unix 3.2G does not seem to show the vulnerability as discussed on this list even though it contains the vulnerable code.
I'm glad to hear that. :-) Nevertheless I installed a patched version of qpop-2.4 last night on our DEC Unix 4.0B POP server. I used the following hacked vsnprintf() interface, which I wrote myself after giving up on finding source elsewhere (eg, the NetBSD version, which is totally incompatible with the definition of (struct FILE) on DEC Unix). This version follows the semantics for vsnprintf() as found in NetBSD/386 1.2: 8<---------------------------- cut here -------------------------->8 #include <stdarg.h> #include <stdio.h> #include <string.h> /* * vsnprintf() -- hacked interface, because DEC OSF/1 doesn't * have the real thing... * * Steven Winikoff * 1998/06/27 * * This code is rather feeble-minded; all it does is truncate the * given string temporarily, call vsprintf() to "print" it, and * then restore the original string. * * We return whatever we got from vsprintf(). */ int vsnprintf(char *str, size_t n, const char *fmt, va_list ap) { int result; char c; /** do we even need to bother? **/ if (strlen(str) < n) return(vsprintf(str, fmt, ap)); /** okay, truncate, call vsprintf(), and restore: **/ c = str[n-1]; str[n-1] = '\0'; /* take that! :-) */ result = vsprintf(str, fmt, ap); /* do the write thing :-) */ str[n-1] = c; /* all better now :-) */ return(result); } 8<---------------------------- cut here -------------------------->8 I don't know if this is helpful at all, but I figured I should pass it on anyway just in case. - Steven ________________________________________________________________________ Steven Winikoff | "One of the main causes of the fall of Concordia University | the Roman Empire was that, lacking Montreal, QC, Canada | zero, they had no way to indicate smw () alcor concordia ca | successful termination of their C http://alcor.concordia.ca/~smw | programs." - Robert Firth
Current thread:
- Re: patch for qpopper remote exploit bug Steven Winikoff (Jun 28)
- <Possible follow-ups>
- Re: patch for qpopper remote exploit bug Ben Laurie (Jun 28)
- Re: patch for qpopper remote exploit bug Johan Danielsson (Jun 28)
- Re: patch for qpopper remote exploit bug Steven Winikoff (Jun 29)
- Re: patch for qpopper remote exploit bug Kev (Jun 29)
- Re: patch for qpopper remote exploit bug David DeSimone (Jun 30)
- SECURITY: too many new packages twiztah (Jun 30)
- Environment variables (SECURITY: too many new packages) Alan Cox (Jun 29)
- Qualcomm's qpopper 2.5 Aleph One (Jun 30)