oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: heap overflow in procmail

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 03 Sep 2014 21:32:51 -0600
So this is potentially a very bad issue, so I'm assigning a CVE, sorry
Mitre (safe assumption: they're all tucked away in bed like normal sane
people =). Please use CVE-2014-3618 for this issue.

On 03/09/14 12:52 PM, Tavis Ormandy wrote:

I noticed a heap overflow in procmail when parsing addresses with
unbalanced quotes. I encountered this by accident when trying to
organize a large usenet archive, this post to rec.arts.poems causes
formail to crash.

https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ

I've attached an mbox for reference.

$ formail -s < mbox > /dev/null
*** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 ***
Segmentation fault (core dumped)
$ rpm -q procmail
procmail-3.22-33.fc20.x86_64


It looks like the fix is

--- formisc.c 2013-08-04 00:13:33.000000000 -0700
+++ formisc.c 2014-09-03 11:42:25.986002396 -0700
@@ -84,12 +84,11 @@
  case '"':*target++=delim='"';start++;
       }
      ;{ int i;
- do
+ while(*start)
    if((i= *target++= *start++)==delim) /* corresponding delimiter? */
       break;
    else if(i=='\\'&&*start)    /* skip quoted character */
       *target++= *start++;
- while(*start); /* anything? */
       }
      hitspc=2;
    }


Tavis.



-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: