[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1080246710.406341b6c4ba8@webmail.uu.se>
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar)
Subject: Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities
"Emil v2 is a filter for converting Internet Messages. It supports
three basic formats: MIME, SUN Mailtool and plain old style RFC822."
It is an old program from SUNET (Swedish University NETwork).
Emil is one of the packages in SUSE Linux and Debian GNU/Linux. It
is also one of the ports in the FreeBSD Ports Collection.
The usual setup is that sendmail or procmail pipe messages from
the network to Emil.
At least versions 2.0.4, 2.0.5 and 2.1.0-beta9 are vulnerable to
several stack-based buffer overflows while parsing and otherwise
handling the filenames of attached files, while 2.1.0-beta9 also is
vulnerable to some rather obscure format string bugs while printing
error messages.
I have attached the archive emil.advisory-data.tar.gz, with a
security patch against 2.1.0-beta9 and three test messages.
testmail1 and run1.sh give an example of a buffer overflow that
occurs when converting files with long filenames from MIME to
uuencode.
testmail2 and run2.sh show a buffer overflow that occurs when
parsing uuencoded files with long filenames.
testmail3 and run3.sh show a buffer overflow that occurs when
converting SUN Mailtool files with long filenames to MIME.
--
Ulf Harnhammar
http://www.advogato.org/person/metaur/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: emil.advisory-data.tar.gz
Type: application/gzip
Size: 2855 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040325/cb50c1de/emil.advisory-data.tar.bin
Powered by blists - more mailing lists