Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

QPopper 4.0.4 buffer overflow

From: Marcell Fodor <m.fodor () mail datanet hu>
Date: 28 Apr 2002 19:24:51 -0000


Affected versions 4.0.3 and 4.0.4. default install.
Servers, not processing user`s configuration file 
(~/.qpopper-options) are insensible to this bug.

pop_bull.c
-----------
int
CopyOneBull ( POP *p, long bnum, char *name )
{
    FILE          *bull;
    char           buffer [ MAXMSGLINELEN ];
    BOOL           in_header            = TRUE;
    BOOL           first_line           = TRUE;
    int            nchar; 
    int            msg_num;
    int            msg_vis_num          = 0;
    int            msg_ends_in_nl       = 0;
    char           bullName [ 256 ];
    MsgInfoList   *mp;
.
.
.
    sprintf ( bullName, "%s/%s", p->bulldir, name );
------------

The bullNmae buffer is 256 bytes long, but in the user`s 
config file you can define it up to MAXLINELEN-1-sizeof
("set bulldir=") 1010 bytes.

~/.qpopper-options
--------------
set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA
--------------

more info: http://mantra.freeweb.hu

Regards,
Marcell Fodor
Previous By Date Next
Previous By Thread Next

Current thread: