lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1080246710.406341b6c4ba8@webmail.uu.se>
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar)
Subject: Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities

"Emil v2 is a filter for converting Internet Messages. It supports
three basic formats: MIME, SUN Mailtool and plain old style RFC822."
It is an old program from SUNET (Swedish University NETwork).

Emil is one of the packages in SUSE Linux and Debian GNU/Linux. It
is also one of the ports in the FreeBSD Ports Collection.

The usual setup is that sendmail or procmail pipe messages from
the network to Emil.

At least versions 2.0.4, 2.0.5 and 2.1.0-beta9 are vulnerable to
several stack-based buffer overflows while parsing and otherwise
handling the filenames of attached files, while 2.1.0-beta9 also is
vulnerable to some rather obscure format string bugs while printing
error messages.

I have attached the archive emil.advisory-data.tar.gz, with a
security patch against 2.1.0-beta9 and three test messages.

testmail1 and run1.sh give an example of a buffer overflow that
occurs when converting files with long filenames from MIME to
uuencode.

testmail2 and run2.sh show a buffer overflow that occurs when
parsing uuencoded files with long filenames.

testmail3 and run3.sh show a buffer overflow that occurs when
converting SUN Mailtool files with long filenames to MIME.

-- 
Ulf Harnhammar
http://www.advogato.org/person/metaur/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: emil.advisory-data.tar.gz
Type: application/gzip
Size: 2855 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040325/cb50c1de/emil.advisory-data.tar.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ