On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote: > > **** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 -- > > PLEASE UPGRADE IMMEDIATELY *** > > We hope that this information is accurate. Version 4.0.2 is not on the ftp > server any more, and there is no patch from 4.0.2 to 4.0.3. > We currently feel handicapped in our efforts to check the code for the > changes wrt the buffer overflow. The buffer overflow took place when a too long argument was supplied to the USER command (and apparently to some other commands too). Here's the gdb backtrace I did save when I investigated this issue thanks to Gustavo Viscaino (see http://www.nessus.com/bugs/nessus/fixed?id=385 if you are curious about why I'm involved in this) (note that the command was USER XXXXX[....]XXXXX\r\n) Program received signal SIGSEGV, Segmentation fault. strcpy (dest=0xbfffca95 'X' <repeats 200 times>..., src=0xbfffca54 'X' <repeats 200 times>...) at ../sysdeps/generic/strcpy.c:38 38 ../sysdeps/generic/strcpy.c: No such file or directory. (gdb) bt #0 strcpy (dest=0xbfffca95 'X' <repeats 200 times>..., src=0xbfffca54 'X' <repeats 200 times>...) at ../sysdeps/generic/strcpy.c:38 #1 0x805078c in pop_user (p=0xbfffca2c) at pop_user.c:198 #2 0x8050e58 in qpopper (argc=1482184792, argv=0x58585858) at popper.c:321 #3 0x58585858 in ?? () Cannot access memory at address 0x58585858 Unfortunately, I did not get a copy of qpopper 4.0.2, so I can't really show where the exact bug was. > If the above statement is right, then SuSE distributions are not > vulnerable. However, we wish to double-check such a claim. All kinds of I really think it's not vulnerable. Qpopper 3.0.x is immune to this bug too. -- Renaud
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 18:43:33 PDT