lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <88001FC5C453764CA6597FB2987424942402AD@SVEX03.dutchtone.nl>
From: allan.vanleeuwen at orangemail.nl (allan.vanleeuwen@...ngemail.nl)
Subject: Sylpheed-claws format string bug, yet still
	 sylpheed much better than windows

Hmm ... I think I missed the part where you explain your subject line ?


-----Original Message-----
From: Georgi Guninski [mailto:guninski@...inski.com] 
Sent: woensdag 22 oktober 2003 16:50
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Sylpheed-claws format string bug, yet still
sylpheed much better than windows


Georgi Guninski security advisory #61, 2003

Sylpheed-claws format string bug, yet still sylpheed much better than
windows

Systems affected:
Sylpheed-claws 0.9.6 - 0.9.4
Fixed in CVS


Risk: Medium
Date: 22 October 2003

Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/sylph.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
There is an exploitable format string in sylpheed claws which may be
exploited by malicous SMTP server.

Details:
The problem seems in:	
send_message.c 
alertpanel_error_log(err_msg);
The format string is missing.

How to reproduce:
Create a test account with smtp server localhost:1234
Then do:
perl -e 'print "535 failed %x%x%n\r\n"' | nc -l -p 1234
Then send a message.
Actual result - sylpheed crashes.


Vendor status:
Notified on  Fri, 3 Oct 2003
It was fixed in CVS on the same day.

Fix:
http://cvs.sourceforge.net/viewcvs.py/sylpheed-claws/sylpheed-claws/src/send
_message.c?r1=1.18&r2=1.19&diff_format=u
===================================================================
RCS file: /cvsroot/sylpheed-claws/sylpheed-claws/src/send_message.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sylpheed-claws/sylpheed-claws/src/send_message.c	2003/09/27 21:01:26
1.18
+++ sylpheed-claws/sylpheed-claws/src/send_message.c	2003/10/03 17:39:39
1.19
@@ -608,7 +608,7 @@
 	if (log_msg)
 		log_warning("%s\n", log_msg);
 	if (err_msg) {
-		alertpanel_error_log(err_msg);
+		alertpanel_error_log("%s", err_msg);
 		g_free(err_msg);
 	}
 }

Regards,
Georgi Guninski
http://www.guninski.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
===========================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
email..

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
===========================================================



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ