Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 108189 - CAN-2003-0855 Pan crash on long email address
CAN-2003-0855 Pan crash on long email address
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: pan (Show other bugs)
2.1
All Linux
low Severity medium
: ---
: ---
Assigned To: Jens Petersen
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-28 09:25 EST by Mark J. Cox
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-10 11:49:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:312 normal SHIPPED_LIVE Low: pan security update 2003-12-10 00:00:00 EST

  None (edit)
Description Mark J. Cox 2003-10-28 09:25:42 EST 
From bug 107519

If you try to view a group with a posting with a long sender address
pan core dumps.

Version-Release number of selected component (if applicable):
pan-0.13.3-3

How reproducible:
Happens every time.

Steps to Reproduce:
1. Post a message with a long address in From:
2. Try to view the group with pan
    
Actual results:
Pan dumps core

Expected results:
Pan views the group correctly possibly truncating the email address to a
reasonable length.

Additional info:
The bug is listed as security because it is possibly a buffer overflow
that
could potentially be used to execute arbitrary code in every pan
client viewing
the group.

The problem was first seen with a 702 character long email address in the
posting
<mlknecndwmlmnhrntstjauevkcntugtxzvxdvqueiivkcqurmwavvxs@skrammel.yaboo.dk>
in
the group dk.test on the server news.tele.dk.

This is a known issue with patch available:
http://bugzilla.gnome.org/show_bug.cgi?id=107025

To follow up on this, the crash causes a null byte to be written to
0x00 which causes a crash but isn't able to be exploited further
(therefore this is limited to a DoS).  Errata in progress.
Comment 1 Mark J. Cox 2003-10-28 09:26:23 EST 
RHSA-2003:312 in progress
Comment 2 Jens Petersen 2003-10-29 01:55:38 EST 
Errata packages submitting to QA.
Comment 3 Mark J. Cox 2003-12-10 11:49:05 EST 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-312.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.