"Lack" may be pushing it a bit, but there are alot of unchecked buffers in the slrn package in both slrn and slrnpull which can be overflowed by things as simple as environmental variables. There is also potential that newsgroups with long names may potentially be able to overrun a fixed-size buffer when an slrn user selects that group, when replying to a message with a large message id a fixed-buffer may potentially be overrun (have my doubts about this one, but I feel like mentioning it anyway), and when groups with large names are attempted to be spooled by slrnpull a buffer may be overwritten possibly allowing commands to be executed under uid and gid slrnpull is run as. These problems may allow code to be executed by users when viewing a newsgroup without consent. These are only POTENTIAL problems. I've included a patch for slrn-0.9.6.2-4 which attemps to convert my paranoia into a safer slrn(pull). The patch was just a minor effort on my part and some of the changes may be unnecessary but some are...you'll want to make changes to the patch for sure because I know not all my strings etc may be null-terminated...etc...but please look... The patch is attached (11k so I figured it would be kinder to attack rather than shove into text box) -Stan Bubrouski
Created attachment 618 [details] Patch for slrn-0.9.6.2-4
*** Bug 12814 has been marked as a duplicate of this bug. ***
I applied this to slrn-0.9.6.4 when we built it; I contacted jed, and he looked at the fixes and said none of them were exploitable.