Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 03 Sep 2014 21:32:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: heap overflow in procmail

So this is potentially a very bad issue, so I'm assigning a CVE, sorry
Mitre (safe assumption: they're all tucked away in bed like normal sane
people =). Please use CVE-2014-3618 for this issue.

On 03/09/14 12:52 PM, Tavis Ormandy wrote:
> I noticed a heap overflow in procmail when parsing addresses with
> unbalanced quotes. I encountered this by accident when trying to
> organize a large usenet archive, this post to rec.arts.poems causes
> formail to crash.
> 
> https://groups.google.com/forum/message/raw?msg=alt.arts.poetry.comments/DCuLO3qzovI/CZk15MlfqNkJ
> 
> I've attached an mbox for reference.
> 
> $ formail -s < mbox > /dev/null
> *** Error in `formail': free(): invalid next size (fast): 0x00007f103784a080 ***
> Segmentation fault (core dumped)
> $ rpm -q procmail
> procmail-3.22-33.fc20.x86_64
> 
> 
> It looks like the fix is
> 
> --- formisc.c 2013-08-04 00:13:33.000000000 -0700
> +++ formisc.c 2014-09-03 11:42:25.986002396 -0700
> @@ -84,12 +84,11 @@
>   case '"':*target++=delim='"';start++;
>        }
>       ;{ int i;
> - do
> + while(*start)
>     if((i= *target++= *start++)==delim) /* corresponding delimiter? */
>        break;
>     else if(i=='\\'&&*start)    /* skip quoted character */
>        *target++= *start++;
> - while(*start); /* anything? */
>        }
>       hitspc=2;
>     }
> 
> 
> Tavis.
> 

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ