oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: heap overflow in procmail

From: Rich Felker <dalias () libc org>
Date: Wed, 3 Sep 2014 23:39:53 -0400
On Wed, Sep 03, 2014 at 11:52:11AM -0700, Tavis Ormandy wrote:

I noticed a heap overflow in procmail when parsing addresses with
unbalanced quotes. I encountered this by accident when trying to
organize a large usenet archive, this post to rec.arts.poems causes
formail to crash.

https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ

I've attached an mbox for reference.

$ formail -s < mbox > /dev/null
*** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 ***
Segmentation fault (core dumped)
$ rpm -q procmail
procmail-3.22-33.fc20.x86_64


It looks like the fix is

--- formisc.c 2013-08-04 00:13:33.000000000 -0700
+++ formisc.c 2014-09-03 11:42:25.986002396 -0700
@@ -84,12 +84,11 @@
  case '"':*target++=delim='"';start++;
       }
      ;{ int i;
- do
+ while(*start)
    if((i= *target++= *start++)==delim) /* corresponding delimiter? */
       break;
    else if(i=='\\'&&*start)    /* skip quoted character */
       *target++= *start++;
- while(*start); /* anything? */
       }
      hitspc=2;
    }


Unless I'm misunderstanding your report, the problem is in the formail
utility which comes with procmail, not procmail itself. This should be
clarified in the title of the vuln, perhaps as "heap overflow in
procmail's formail utility" rather than "heap overflow in procmail".

Rich
Previous By Date Next
Previous By Thread Next

Current thread: