lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 10 Nov 2003 19:19:12 +0900
From: "Secure Net Service(SNS) Security Advisory" <>
Subject: [SNS Advisory No.69] Eudora "Reply-To-All" Buffer Overflow Vulnerability

SNS Advisory No.69
Eudora "Reply-To-All" Buffer Overflow Vulnerability

Problem first discovered on: Thu, 09 Jan 2003
Published on: Mon, 10 Nov 2003

  Eudora for Windows contains a buffer overflow vulnerability, which 
  could allow a remote attacker to execute arbitrary code.

Problem Description:
  The buffer overflow occurs when Eudora receives an e-mail message 
  with a  "From" or "Reply-To" header containing an unusually long string 
  of characters, and then attempts to "Reply To All."

Tested Versions:
  Eudora 5.1-J for Windows [Japanese]
  Eudora for Windows [English]
  Eudora 5.2.1 for Windows [English]

  Upgrade to the fixed version below:

  Eudora 5.1-Jr3 for Windows [Japanese] and above
  Eudora Version 6.0 for Windows [English] and above

Discovered by:
  Hisayuki Shinmachi

Chronology of Events:
   9 Jan 2003 :  We discovered the vulnerability
  21 Jan 2003 :  We reported the findings to EDGE Co., Ltd. and 
                 QUALCOMM Inc.
     Mar 2003 :  Eudora 5.1-Jr3 was released by EDGE Co., Ltd.
  25 Jun 2003 :  We reported the findings to CERT/CC and JPCERT/CC
                 because we didn't get any response from QUALCOMM Inc.
   4 Oct 2003 :  We confirmed that the problem has been fixed in Eudora 
                 Version 6.0 for Windows[English]
  10 Nov 2003 :  We disclosed this vulnerability

  The information contained in this advisory may be revised without prior 
  notice and is provided as it is. Users shall take their own risk when 
  taking any actions following reading this advisory. LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or by 
  the use of information provided here.

  This advisory can be found at the following URL: 

Secure Net Service(SNS) Security Advisory <>
Computer Security Laboratory, LAC

Powered by blists - more mailing lists