Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

[Renaud Deraison <deraison () cvs nessus org>]

On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote:
> > **** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 --
> > PLEASE UPGRADE IMMEDIATELY ***
>
> We hope that this information is accurate. Version 4.0.2 is not on the ftp
> server any more, and there is no patch from 4.0.2 to 4.0.3.
> We currently feel handicapped in our efforts to check the code for the
> changes wrt the buffer overflow.

The buffer overflow took place when a too long argument was supplied
to the USER command (and apparently to some other commands too).

Here's the gdb backtrace I did save when I investigated this issue
thanks to Gustavo Viscaino (see
http://www.nessus.com/bugs/nessus/fixed?id=385 if you are curious
about why I'm involved in this)

(note that the command was USER XXXXX[....]XXXXX\r\n)

Program received signal SIGSEGV, Segmentation fault.
strcpy (dest=0xbfffca95 'X' <repeats 200 times>..., 
    src=0xbfffca54 'X' <repeats 200 times>...)
    at ../sysdeps/generic/strcpy.c:38
38      ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb) bt
#0  strcpy (dest=0xbfffca95 'X' <repeats 200 times>..., 
    src=0xbfffca54 'X' <repeats 200 times>...)
    at ../sysdeps/generic/strcpy.c:38
#1  0x805078c in pop_user (p=0xbfffca2c) at pop_user.c:198
#2  0x8050e58 in qpopper (argc=1482184792, argv=0x58585858) at
popper.c:321
#3  0x58585858 in ?? ()
Cannot access memory at address 0x58585858

Unfortunately, I did not get a copy of qpopper 4.0.2, so I can't really
show where the exact bug was.



> If the above statement is right, then SuSE distributions are not
> vulnerable. However, we wish to double-check such a claim. All kinds of

I really think it's not vulnerable. Qpopper 3.0.x is immune to this bug too.



                                -- Renaud