Bug 107519 - CAN-2003-0855 Pan crash on long email address
Summary: CAN-2003-0855 Pan crash on long email address
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pan
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jens Petersen
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-10-19 22:38 UTC by Kasper Dupont
Modified: 2007-03-27 04:10 UTC (History)
0 users

Clone Of:
Last Closed: 2003-11-24 08:49:19 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:311 normal SHIPPED_LIVE : Updated Pan packages fix denial of service vulnerability 2003-11-24 05:00:00 UTC

Description Kasper Dupont 2003-10-19 22:38:29 UTC
Description of problem:
If you try to view a group with a posting with a long sender address pan core dumps.

Version-Release number of selected component (if applicable):

How reproducible:
Happens every time.

Steps to Reproduce:
1. Post a message with a long address in From:
2. Try to view the group with pan
Actual results:
Pan dumps core

Expected results:
Pan views the group correctly possibly truncating the email address to a
reasonable length.

Additional info:
The bug is listed as security because it is possibly a buffer overflow that
could potentially be used to execute arbitrary code in every pan client viewing
the group.

The problem was first seen with a 702 character long email address in the
<mlknecndwmlmnhrntstjauevkcntugtxzvxdvqueiivkcqurmwavvxs@skrammel.yaboo.dk> in
the group dk.test on the server news.tele.dk.

Comment 1 Kasper Dupont 2003-10-22 13:32:17 UTC
Pan also dumps core while getting the list of newsgroups if the server does not
send a ^M char at the end of each line.

Comment 2 Mark J. Cox 2003-10-24 15:48:35 UTC
Okay, this is a known issue with patch available:

We'll look at doing a security update to PAN.

Comment 3 Mark J. Cox 2003-10-28 14:21:07 UTC
To follow up on this, the crash causes a null byte to be written to 0x00 which
causes a crash but isn't able to be exploited further (therefore this is limited
to a DoS).  Errata in progress.

RHSA-2003:311 in progress

Comment 4 Jens Petersen 2003-10-29 03:30:23 UTC
For the record, apparently this was fixed in 0.13.4.

Comment 6 Mark J. Cox 2003-11-24 08:49:19 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.