lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <f3f9c70d0512152201u1d32d791u1d1e174f9ea1ab5f@mail.gmail.com>
Date: Fri Dec 16 12:49:58 2005
From: deepfear at gmail.com (oudad mehdi)
Subject: ZRCSA-200505: libremail - "pop.c" Format String
	Vulnerability

libremail - "pop.c" Format String Vulnerability

Zone-H Research Center Security Advisory 200505
http://www.zone-h.fr

Date of release: 16/12/2005
Software: libremail (http://libremail.tuxfamily.org/en/)
Affected versions: <= 1.1.0
Risk: Low/Medium
Discovered by: Mehdi Oudad "deepfear" from the Zone-H Research Team

Background
----------
libremail is a set of command line mail tools, it includes several
clients, and allows to filter mails.

from http://libremail.tuxfamily.org/en/trad.htm :
This web site is intended to present to you the whole part of
applications of electronic mail I developed.

These softwares functions under GNU/Linux and should normaly run
without any modification under the other UNIX systems.
On the other hand, I did not consider it useful (and a fortiori
priority) to adapt these applications to make them run also under
Windows.

Details
--------
There is a format string vulnerability in pop.c:

[...]
void lire_pop ()
{
    int posbuf;


    // initialisation
    posbuf = 0;

    // lecture jusqu'en fin de ligne ou de buffer
    do
        recv (sockfd, buf_lect + posbuf, 1, 0);
    while (buf_lect [posbuf++] != '\n' && posbuf < sz_buflect);

    // terminer la chaine de caract?res lue (on supprime \r\n)
    if (posbuf > 1 && buf_lect [posbuf - 2] == '\r')
        buf_lect [posbuf - 2] = '\0';
    else
        buf_lect [posbuf - 1] = '\0';

#ifdef DEBUG
    putchar ('<');
    printf (buf_lect);
#endif
}

It could be exploited by tricking a user into connecting to a
malicious pop server, or by sending a malicious mail (if the user
reads it through a pop server), however it requires that debug mode is
activated (not default setting).

Solution
---------
The vendor has published updated sources:
http://libremail.tuxfamily.org/en/dersources.htm

They will also be included in an upcoming version (with other bugfixes
and new features).

--
Original advisories:
English version: Check Zone-H.org (off atm)
French: http://www.zone-h.fr/fr/advisories/read/id=733

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ