Bug 12750 - Lack of bounds checking in slrn-0.9.6.2-4
Lack of bounds checking in slrn-0.9.6.2-4
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: slrn (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
: 12814 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-20 00:57 EDT by SB
Modified: 2014-03-16 22:14 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-22 14:00:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for slrn-0.9.6.2-4 (11.00 KB, patch)
2000-06-20 00:58 EDT, SB
no flags Details | Diff

  None (edit)
Description SB 2000-06-20 00:57:26 EDT
"Lack" may be pushing it a bit, but there are alot of unchecked
buffers in the slrn package in both slrn and slrnpull which can
be overflowed by things as simple as environmental variables.
There is also potential that newsgroups with long names may 
potentially be able to overrun a fixed-size buffer when an slrn
user selects that group, when replying to a message with a large
message id a fixed-buffer may potentially be overrun (have my 
doubts about this one, but I feel like mentioning it anyway), 
and when groups with large names are attempted to be spooled 
by slrnpull a buffer may be overwritten possibly allowing commands 
to be executed under uid and gid slrnpull is run as.  These problems
may allow code to be executed by users when viewing a newsgroup
without consent.  These are only POTENTIAL problems.  I've included
a patch for slrn-0.9.6.2-4 which attemps to convert my paranoia into
a safer slrn(pull).  The patch was just a minor effort on my part and some
of the changes may be unnecessary but some are...you'll want to make
changes to the patch for sure because I know not all my strings
etc may be null-terminated...etc...but please look...

The patch is attached (11k so I figured it would be kinder to attack
rather than shove into text box)

-Stan Bubrouski
Comment 1 SB 2000-06-20 00:58:49 EDT
Created attachment 618 [details]
Patch for slrn-0.9.6.2-4
Comment 2 Bill Nottingham 2000-06-22 14:00:14 EDT
*** Bug 12814 has been marked as a duplicate of this bug. ***
Comment 3 Bill Nottingham 2001-01-23 23:02:18 EST
I applied this to slrn-0.9.6.4 when we built it; I contacted jed,
and he looked at the fixes and said none of them were exploitable.

Note You need to log in before you can comment on or make changes to this bug.