lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 12 Mar 2003 05:05:41 +0100
From: Florian Heinz <heinz@...non-ag.de>
To: Randall Gellens <rg_public.1@...gg.qualcomm.com>
Subject: Re: QPopper 4.0.x buffer overflow vulnerability


On Tue, Mar 11, 2003 at 07:05:51PM -0800, Randall Gellens wrote:
> The first I heard of the problem was this morning.  Was any notice 
> sent to qpopper-bugs@...lcomm.com or qpopper-patches@...lcomm.com in 
> advance of the posting here?  If so, please let me know the details 
> so I can see what happened to the message.  If not, I'd like to know 
> why.

The cause for this bug is already identified and the fix is really
simple, I didn't see a reason to delay the post. It wasn't my intention
to cause you trouble, if I did so, I'm sorry. I had bad experience
informing vendors in the past, so I skipped that in this case.
For example, some time ago I reported the (non-exploitable) bug in
pop_msg.c, line 254f.:
free(local_element.mdef_macro); /* From strdup */
return pop_msg(p, POP_SUCCESS, HERE, "Macro \"%s\" accepted",
               local_element.mdef_macro);
and I didn't get a reply. Perhaps you want to fix this flaw too, in fc2.

regards,

Florian Heinz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ