Red Hat Bugzilla – Bug 112078
CAN-2003-0966 buffer overflow in frm command
Last modified: 2007-11-30 17:06:53 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1)
Description of problem:
The url above contains a piece of spam that I got with a very long
subject line, that crashes the frm command with a core dump. This
sounds like a standard buffer overflow bug with the obvious possible
exploits of someone sending a maliciously crafted piece of mail that
takes over a user account when the recipient runs "frm". The whole
elm package probably should be audited for bugs like this. I've
opened a CERT incident report but didn't save the report number
(expected an email acknowledgement but haven't gotten one yet).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Download file in that url, save it in filename
2. Run "frm filename" from the shell
Actual Results: frm command crashes and leaves a core dump
Expected Results: frm should truncate over-long header lines when
frm|tail is my usual way of checking whether I have interesting (i.e.
non-spam) mail and I run it several times an hour. So it makes a real
Verified. This is a standard static buffer overflow that could be
exploited. Fortunately elm is quite old and is not included in any
Red Hat distribution since Red Hat Linux 8.0.
I've allocated CVE name CAN-2003-0966 for this issue. I'd like to
share this with other Linux distribution vendor security teams in case
they still ship elm. Please let me know if this is okay.
Created attachment 96552 [details]
patch for CAN-2003-0966
Yes of course feel free to notify other vendors, you shouldn't need my
permission. Also, as mentioned, I opened a CERT report.
The program with the bug is a useful one and if it's really removed
from new RH distributions, it'll cause me some nuisance since I'll
have to reinstall it when I upgrade to the next version. On the other
hand, the many other programs in that suite probably should all be
audited, which may not be worth the hassle any more.
On a brief investigation the code to implement 'from' in the updated
(forked?) Elm-ME looked like it had been completely rewritten to avoid
anything relating to a strcpy and fixed sized buffers. However it
would seem to me that the functionality of the 'frm' command could be
trivially written by a tiny perl or python script.
A number of other vendors are affected and some of them want time to
look for other issues in frm. I've proposed a public release date of
Jan 14th 2004 for this issue.
CAN-2003-0966 Affects: 2.1AS 2.1AW
CAN-2003-0966 Affects: 7.1 7.2 7.3 (now end of life, won't fix)
*** Bug 112356 has been marked as a duplicate of this bug. ***
When we update elm we'd like to acknowledge you in the advisory. If
you'd like credits please let us know your name.
Thanks, name is Paul Rubin.
Fixed in http://rhn.redhat.com/errata/RHSA-2004-009.html