--- Original Message ---
Date: 1/13/2009
From: "Tomas Pospisek" <[email protected]>
Subject: [Bug 217485] Re: stack smashing detected
On Tue, 13 Jan 2009, James Westby wrote:
> The Debian bug suggests this is fixed, can anyone reproduce it
> on Intrepid or Jaunty?
I was debugging this for a while but it seemed to me that pgp4pine had
more than one character array overflow - string overflows nota bene which
are security relevant.
Here's one bug that's on public record:
pgp4pine (1.76-4) unstable; urgency=high
* [Security]: Fix read buffer overflow
Found by Eric AUGE:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0122.html
Fix by Jacek Lipkowski:
http://archives.neohapsis.com/archives/vulndiscuss/2003-q1/0126.html
And here's a patch:
diff -ruN pgp4pine-1.76.orig/pgp4pine/menus.c
pgp4pine-1.76/pgp4pine/menus.c
--- pgp4pine-1.76.orig/pgp4pine/menus.c 2001-04-09 18:23:37.000000000
+0200
+++ pgp4pine-1.76/pgp4pine/menus.c 2008-05-08 14:52:39.000000000
+0200
@@ -34,11 +34,13 @@
executed, EOF breaks directly */
return;
}
- else if ((readline[i++]=c) == '\n')
+ else if ((readline[i]=c) == '\n')
{
+ if (i<(CONSOLE_IO_LINE_LENGTH-2)) i++;
readline[i]='\0';
fertig=1;
}
+ else if (i<(CONSOLE_IO_LINE_LENGTH-2)) i++;
}
fertig=0;
Since IMO pgp4pine has issues with overflows and upstream hasn't been
seen
in the wild for a while, pgp4pine should be killed. The question however
is how pine people would go about writing/reading gpg encrypted/signed
mails?
Could you please fix the Bug Status James?
*t)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]