KSR[T]: > Affected Program: filter ( part of the elm-2.4 package ) <...> > Notes: This was not a full audit on the elm2.4 package, or > filter for that matter. At a glance, there appear > to be numerous security problems. > > The filter included in elm-2.4ME+37 also appears to > be vulnerable to the "save_embedded_address()" attack, > but not to the "get_filter_rules()" attack. > > Filter will not be a part of elm 2.5, and is > not supported in any way at this time. It is the > Elm group's recommendation that filter not be used. > > Patch/Fix: > > -*- Begin elm 2.4 filter patch -*- > > diff -u filter/filter.c filter.new/filter.c > --- filter/filter.c Tue Feb 4 09:13:02 1997 > +++ filter.new/filter.c Tue Feb 4 09:17:38 1997 > @@ -429,7 +429,7 @@ > **/ > > static int processed_a_reply_to = 0; > - char address[LONG_STRING]; > + char address[MAX_LINE_LEN + 1]; > register int i, j = 0; Enlarging of address does causes just that then there is overflow in strcpy(from,address); ( char to[VERY_LONG_STRING], from[LONG_STRING], subject[LONG_STRING], /* from current message */ sender[LONG_STRING]; /* from current message */ ) Better fix loop in save_embedded_address (*). (This overflow is not necessary exploitable.) (in ME+ that strcpy is strfcpy(from,address,sizeof from) and therefore bound checked.) / Kari Hurtta (*) Look ME+ PL39 patch (http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz, ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:26 PDT