oss-sec mailing list archives
Re: heap overflow in procmail
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 03 Sep 2014 21:32:51 -0600
So this is potentially a very bad issue, so I'm assigning a CVE, sorry Mitre (safe assumption: they're all tucked away in bed like normal sane people =). Please use CVE-2014-3618 for this issue. On 03/09/14 12:52 PM, Tavis Ormandy wrote:
I noticed a heap overflow in procmail when parsing addresses with unbalanced quotes. I encountered this by accident when trying to organize a large usenet archive, this post to rec.arts.poems causes formail to crash. https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ I've attached an mbox for reference. $ formail -s < mbox > /dev/null *** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 *** Segmentation fault (core dumped) $ rpm -q procmail procmail-3.22-33.fc20.x86_64 It looks like the fix is --- formisc.c 2013-08-04 00:13:33.000000000 -0700 +++ formisc.c 2014-09-03 11:42:25.986002396 -0700 @@ -84,12 +84,11 @@ case '"':*target++=delim='"';start++; } ;{ int i; - do + while(*start) if((i= *target++= *start++)==delim) /* corresponding delimiter? */ break; else if(i=='\\'&&*start) /* skip quoted character */ *target++= *start++; - while(*start); /* anything? */ } hitspc=2; } Tavis.
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- heap overflow in procmail Tavis Ormandy (Sep 03)
- Re: heap overflow in procmail Kurt Seifried (Sep 03)
- Re: heap overflow in procmail cve-assign (Sep 03)
- RE: heap overflow in procmail Christey, Steven M. (Sep 03)
- Re: heap overflow in procmail Michal Zalewski (Sep 03)
- Re: heap overflow in procmail Kurt Seifried (Sep 04)
- Re: heap overflow in procmail Kurt Seifried (Sep 04)
- Re: heap overflow in procmail Kurt Seifried (Sep 03)
- Re: heap overflow in procmail Rich Felker (Sep 03)
- Re: heap overflow in procmail Tavis Ormandy (Sep 03)
- Re: Re: heap overflow in procmail Rich Felker (Sep 04)
- Re: Re: heap overflow in procmail Tavis Ormandy (Sep 04)
- Re: heap overflow in procmail Tavis Ormandy (Sep 03)
- <Possible follow-ups>
- Re: heap overflow in procmail Jack Frosch (Sep 05)