Bug 107519
| Summary: | CAN-2003-0855 Pan crash on long email address | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Kasper Dupont <bugzilla> |
| Component: | pan | Assignee: | Jens Petersen <petersen> |
| Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-11-24 08:49:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Pan also dumps core while getting the list of newsgroups if the server does not send a ^M char at the end of each line. Okay, this is a known issue with patch available: http://bugzilla.gnome.org/show_bug.cgi?id=107025 We'll look at doing a security update to PAN. To follow up on this, the crash causes a null byte to be written to 0x00 which causes a crash but isn't able to be exploited further (therefore this is limited to a DoS). Errata in progress. CAN-2003-0855 RHSA-2003:311 in progress For the record, apparently this was fixed in 0.13.4. An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-311.html |
Description of problem: If you try to view a group with a posting with a long sender address pan core dumps. Version-Release number of selected component (if applicable): pan-0.13.3-3 How reproducible: Happens every time. Steps to Reproduce: 1. Post a message with a long address in From: 2. Try to view the group with pan Actual results: Pan dumps core Expected results: Pan views the group correctly possibly truncating the email address to a reasonable length. Additional info: The bug is listed as security because it is possibly a buffer overflow that could potentially be used to execute arbitrary code in every pan client viewing the group. The problem was first seen with a 702 character long email address in the posting <mlknecndwmlmnhrntstjauevkcntugtxzvxdvqueiivkcqurmwavvxs.dk> in the group dk.test on the server news.tele.dk.