oss-sec mailing list archives
Re: heap overflow in procmail
From: Rich Felker <dalias () libc org>
Date: Wed, 3 Sep 2014 23:39:53 -0400
On Wed, Sep 03, 2014 at 11:52:11AM -0700, Tavis Ormandy wrote:
I noticed a heap overflow in procmail when parsing addresses with unbalanced quotes. I encountered this by accident when trying to organize a large usenet archive, this post to rec.arts.poems causes formail to crash. https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ I've attached an mbox for reference. $ formail -s < mbox > /dev/null *** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 *** Segmentation fault (core dumped) $ rpm -q procmail procmail-3.22-33.fc20.x86_64 It looks like the fix is --- formisc.c 2013-08-04 00:13:33.000000000 -0700 +++ formisc.c 2014-09-03 11:42:25.986002396 -0700 @@ -84,12 +84,11 @@ case '"':*target++=delim='"';start++; } ;{ int i; - do + while(*start) if((i= *target++= *start++)==delim) /* corresponding delimiter? */ break; else if(i=='\\'&&*start) /* skip quoted character */ *target++= *start++; - while(*start); /* anything? */ } hitspc=2; }
Unless I'm misunderstanding your report, the problem is in the formail utility which comes with procmail, not procmail itself. This should be clarified in the title of the vuln, perhaps as "heap overflow in procmail's formail utility" rather than "heap overflow in procmail". Rich
Current thread:
- heap overflow in procmail Tavis Ormandy (Sep 03)
- Re: heap overflow in procmail Kurt Seifried (Sep 03)
- Re: heap overflow in procmail cve-assign (Sep 03)
- RE: heap overflow in procmail Christey, Steven M. (Sep 03)
- Re: heap overflow in procmail Michal Zalewski (Sep 03)
- Re: heap overflow in procmail Kurt Seifried (Sep 04)
- Re: heap overflow in procmail Kurt Seifried (Sep 04)
- Re: heap overflow in procmail Kurt Seifried (Sep 03)
- Re: heap overflow in procmail Rich Felker (Sep 03)
- Re: heap overflow in procmail Tavis Ormandy (Sep 03)
- Re: Re: heap overflow in procmail Rich Felker (Sep 04)
- Re: Re: heap overflow in procmail Tavis Ormandy (Sep 04)
- Re: heap overflow in procmail Tavis Ormandy (Sep 03)
- <Possible follow-ups>
- Re: heap overflow in procmail Jack Frosch (Sep 05)
- Re: Re: heap overflow in procmail Simon McVittie (Sep 05)