Bug 12750

Summary: Lack of bounds checking in slrn-0.9.6.2-4
Product: [Retired] Red Hat Linux Reporter: SB <satan>
Component: slrnAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-06-22 18:00:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for slrn-0.9.6.2-4 none

Description SB 2000-06-20 04:57:26 UTC 
"Lack" may be pushing it a bit, but there are alot of unchecked
buffers in the slrn package in both slrn and slrnpull which can
be overflowed by things as simple as environmental variables.
There is also potential that newsgroups with long names may 
potentially be able to overrun a fixed-size buffer when an slrn
user selects that group, when replying to a message with a large
message id a fixed-buffer may potentially be overrun (have my 
doubts about this one, but I feel like mentioning it anyway), 
and when groups with large names are attempted to be spooled 
by slrnpull a buffer may be overwritten possibly allowing commands 
to be executed under uid and gid slrnpull is run as.  These problems
may allow code to be executed by users when viewing a newsgroup
without consent.  These are only POTENTIAL problems.  I've included
a patch for slrn-0.9.6.2-4 which attemps to convert my paranoia into
a safer slrn(pull).  The patch was just a minor effort on my part and some
of the changes may be unnecessary but some are...you'll want to make
changes to the patch for sure because I know not all my strings
etc may be null-terminated...etc...but please look...

The patch is attached (11k so I figured it would be kinder to attack
rather than shove into text box)

-Stan Bubrouski
Comment 1 SB 2000-06-20 04:58:49 UTC 
Created attachment 618 [details]
Patch for slrn-0.9.6.2-4
Comment 2 Bill Nottingham 2000-06-22 18:00:14 UTC 
*** Bug 12814 has been marked as a duplicate of this bug. ***
Comment 3 Bill Nottingham 2001-01-24 04:02:18 UTC 
I applied this to slrn-0.9.6.4 when we built it; I contacted jed,
and he looked at the fixes and said none of them were exploitable.