Vulnerability Development mailing list archives
QPopper 4.0.4 buffer overflow
From: Marcell Fodor <m.fodor () mail datanet hu>
Date: 28 Apr 2002 19:24:51 -0000
Affected versions 4.0.3 and 4.0.4. default install. Servers, not processing user`s configuration file (~/.qpopper-options) are insensible to this bug. pop_bull.c ----------- int CopyOneBull ( POP *p, long bnum, char *name ) { FILE *bull; char buffer [ MAXMSGLINELEN ]; BOOL in_header = TRUE; BOOL first_line = TRUE; int nchar; int msg_num; int msg_vis_num = 0; int msg_ends_in_nl = 0; char bullName [ 256 ]; MsgInfoList *mp; . . . sprintf ( bullName, "%s/%s", p->bulldir, name ); ------------ The bullNmae buffer is 256 bytes long, but in the user`s config file you can define it up to MAXLINELEN-1-sizeof ("set bulldir=") 1010 bytes. ~/.qpopper-options -------------- set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA -------------- more info: http://mantra.freeweb.hu Regards, Marcell Fodor
Current thread:
- QPopper 4.0.4 buffer overflow Marcell Fodor (Apr 28)