Bug 12750 - Lack of bounds checking in slrn-0.9.6.2-4
Summary: Lack of bounds checking in slrn-0.9.6.2-4
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: slrn
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Keywords: Security
: 12814 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-06-20 04:57 UTC by SB
Modified: 2014-03-17 02:14 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2000-06-22 18:00:15 UTC


Attachments (Terms of Use)
Patch for slrn-0.9.6.2-4 (11.00 KB, patch)
2000-06-20 04:58 UTC, SB
no flags Details | Diff

Description SB 2000-06-20 04:57:26 UTC
"Lack" may be pushing it a bit, but there are alot of unchecked
buffers in the slrn package in both slrn and slrnpull which can
be overflowed by things as simple as environmental variables.
There is also potential that newsgroups with long names may 
potentially be able to overrun a fixed-size buffer when an slrn
user selects that group, when replying to a message with a large
message id a fixed-buffer may potentially be overrun (have my 
doubts about this one, but I feel like mentioning it anyway), 
and when groups with large names are attempted to be spooled 
by slrnpull a buffer may be overwritten possibly allowing commands 
to be executed under uid and gid slrnpull is run as.  These problems
may allow code to be executed by users when viewing a newsgroup
without consent.  These are only POTENTIAL problems.  I've included
a patch for slrn-0.9.6.2-4 which attemps to convert my paranoia into
a safer slrn(pull).  The patch was just a minor effort on my part and some
of the changes may be unnecessary but some are...you'll want to make
changes to the patch for sure because I know not all my strings
etc may be null-terminated...etc...but please look...

The patch is attached (11k so I figured it would be kinder to attack
rather than shove into text box)

-Stan Bubrouski

Comment 1 SB 2000-06-20 04:58:49 UTC
Created attachment 618 [details]
Patch for slrn-0.9.6.2-4

Comment 2 Bill Nottingham 2000-06-22 18:00:14 UTC
*** Bug 12814 has been marked as a duplicate of this bug. ***

Comment 3 Bill Nottingham 2001-01-24 04:02:18 UTC
I applied this to slrn-0.9.6.4 when we built it; I contacted jed,
and he looked at the fixes and said none of them were exploitable.


Note You need to log in before you can comment on or make changes to this bug.