Bug#352482: metamail: crashes with very long boundaries in messages

2006-02-12 Thread Ulf Harnhammar 
Subject: metamail: crashes with very long boundaries in messages
Package: metamail
Version: 2.7-50
Severity: important
Tags: patch

Hello,

I have found that metamail crashes when processing messages with very long
boundaries. They cause a buffer overflow, which doesn't seem to be exploitable:


[EMAIL PROTECTED]:~$ /usr/bin/metamail < metamail.txt
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: metamail crash bug

*** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
Aborted
[EMAIL PROTECTED]:~$


I have attached a test message, as well as a patch.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages metamail depends on:
ii  libc6 2.3.5-13   GNU C Library: Shared libraries an
ii  libncurses5   5.5-1  Shared libraries for terminal hand

Versions of packages metamail recommends:
ii  mime-support  3.35-1 MIME files 'mime.types' & 'mailcap
ii  sharutils 1:4.2.1-15 shar, unshar, uuencode, uudecode

-- no debconf information



-- 
___
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: metamail crash bug
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary=UU
Content-Transfer-Encoding: 7bit

--UUU

Bug#352482: metamail: crashes with very long boundaries in messages

2006-02-13 Thread Ulf Harnhammar 
> BTW, what is in ./metamail, rather than ./src/metamail/??

I don't know. I noticed that the source is included twice, but I haven't looked 
into why that is the case. FWIW, if you just patch the source in src and not in 
., the resulting binaries seem to be fixed.

> > I have found that metamail crashes when processing messages with
> > very long boundaries. They cause a buffer overflow, which doesn't
> > seem to be exploitable:

> How is this not [potentially] exploitable?

Well, because of the error message that it prints, and because of the way 
things look in gdb (if I remember correctly, it crashes in strtok() or some 
similar function).  I've been taught that this signifies not being exploitable, 
but I may be wrong.

What do the others in the Debian Security Audit Project think about this?

// Ulf



-- 
___
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze

Bug#353539: metamail: crashes with very long filenames in messages

2006-02-19 Thread Ulf Harnhammar 
Subject: metamail: crashes with very long filenames in messages
Package: metamail
Version: 2.7-50
Severity: normal
Tags: patch

Hello,

metamail crashes if a message has a part with a very long filename and the
user interacts to save it under that name, which is clearly visible on the
screen:


[EMAIL PROTECTED]:~/recently$ /usr/bin/metamail < metamail2.txt
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: metamail crash bug #2

This message contains raw digital data, which can either be viewed as text
or written to a file.

What do you want to do with the raw data?
1 -- See it as text
2 -- Write it to a file
3 -- Just skip it
4 -- Give another content type

2
Please enter the name of a file to which the data should be written
(Default: 













) 
>
Segmentation fault
[EMAIL PROTECTED]:~/recently$


I have attached a patch and a test message.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages metamail depends on:
ii  libc6 2.3.5-13   GNU C Library: Shared libraries an
ii  libncurses5   5.5-1  Shared libraries for terminal hand

Versions of packages metamail recommends:
ii  mime-support  3.35-1 MIME files 'mime.types' & 'mailcap
ii  sharutils 1:4.2.1-15 shar, unshar, uuencode, uudecode

-- no debconf information

--- src/metamail/metamail.c.old 2006-02-19 13:18:51.0 +0100
+++ src/metamail/metamail.c 2006-02-19 13:20:35.0 +0100
@@ -385,6 +385,8 @@ int nestingdepth;
Fname[0] = 0;
 
 suggestedname = FindParam("name");
+if (strlen(suggestedname) > NAME_MAX - 50)
+suggestedname[NAME_MAX - 50] = '\0';
 if (!suggestedname) {
 MkTmpFileName(SugBuf);
 suggestedname = SugBuf;
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: metamail crash bug #2
MIME-Version: 1.0
Content-Type: application/octet-stream; 
name=
Content-Transfer-Encoding: quoted-printable

hi!=00=00

Bug#352482: It's a vuln

2006-02-22 Thread Ulf Harnhammar 
This is CVE-2006-0709 now.

Additionally, Red Hat sound confident that this is exploitable:

"This issue is a pretty standard heap based buffer overflow."

-- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181665

They have issued a security advisory with severity set to important:

https://rhn.redhat.com/errata/RHSA-2006-0217.html

// Ulf



-- 
___
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze