Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Sep 2014 11:52:11 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: heap overflow in procmail

I noticed a heap overflow in procmail when parsing addresses with
unbalanced quotes. I encountered this by accident when trying to
organize a large usenet archive, this post to rec.arts.poems causes
formail to crash.

https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ

I've attached an mbox for reference.

$ formail -s < mbox > /dev/null
*** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 ***
Segmentation fault (core dumped)
$ rpm -q procmail
procmail-3.22-33.fc20.x86_64


It looks like the fix is

--- formisc.c 2013-08-04 00:13:33.000000000 -0700
+++ formisc.c 2014-09-03 11:42:25.986002396 -0700
@@ -84,12 +84,11 @@
  case '"':*target++=delim='"';start++;
       }
      ;{ int i;
- do
+ while(*start)
    if((i= *target++= *start++)==delim) /* corresponding delimiter? */
       break;
    else if(i=='\\'&&*start)    /* skip quoted character */
       *target++= *start++;
- while(*start); /* anything? */
       }
      hitspc=2;
    }


Tavis.

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ