Package: smail
Severity: grave
Tags: security patch
Justification: user security hole
[Dear security-team, this should affect Woody as well]
Sean <[EMAIL PROTECTED] has discovered two vulnerabilities in smail,
that can be exploited to obtain root privileges:
1. A heap overflow in RFC 821 header parsing permits remote attackers that
are able to connect to an SMTP server remote code execution with root
privileges.
2. Insecure signal handling may be exploitable to obtain extended privileges
for local users as well.
For full details see
http://www.securityfocus.com/archive/1/394286/2005-03-22/2005-03-28/0
It contains a fix for the heap overflow, which I attach to this report.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- addr.c 2004-08-27 01:46:17.000000000 -0500
+++ _addr.c 2005-03-25 01:00:44.423372480 -0500
@@ -217,10 +217,12 @@
ap++;
if (*ap == '@') {
/* matched host!(host!)[EMAIL PROTECTED] -- build the !-route */
- register char *p = xmalloc((size_t) strlen(address));
+ size_t alen = strlen(address);
+ register char *p = xmalloc((size_t) alen + 1);
DEBUG(DBG_ADDR_MID, "found host!(host!)[EMAIL PROTECTED] form--ugh!\n");
/* first part already !-route */
strncpy(p, address, (size_t) (ap - address));
+ p[(ap - address)] = '\0';
if (mark_end) {
*mark_end++ = '>'; /* widden the original address */
}
@@ -231,7 +233,8 @@
*error);
return NULL;
}
- strcat(p, ap); /* concatenate together */
+ strncat(p, ap, alen-strlen(p)); /* concatenate together */
+ p[alen] = '\0'; /* in case in wasn't NULL'd */
xfree(ap);
DEBUG1(DBG_ADDR_HI, "preparse_address returns: %v\n", p);
*rest = mark_end;
