Bug 152675 - buffer and integer overflows in metamail
buffer and integer overflows in metamail
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-18 14:03 EST by Michal Jaegermann
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:23:35 EST
RHSA-2004:073-01 advisory describes bugs discovered by Ulf Harnhammar
in versions of metamail up to 2.7.  This affects at lest RH73, and earlier,
installations.  I do not know about later distros; they may not include
metamail.

Source rpm from
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/metamail-2.7-29.src.rpm
recompiles "as it" and works too.  A patch supplied is kind of "obvious"
once you know where to look :-) and is small wonder that such obvious bugs
were not notices for so many years.

This is remotely exploitable by sending a appropriately crafted message to
a victim.



------- Additional Comments From jkeating@j2solutions.net 2004-02-18 14:09:53 ----

Michal, does this apply to RH7.2-8.0 ?



------- Additional Comments From michal@harddata.com 2004-02-18 14:16:25 ----

I do not know about RH8 (I do not have such installation around) but 7.2,
and also 7.1, do include the same version of metamail; hence the same
trouble and the same patch applies.  Actually the same binaries will work
through all 7.x distributions.



------- Additional Comments From bugs.michael@gmx.net 2004-02-18 22:14:42 ----

metamail was removed in rh80




------- Additional Comments From bugs.michael@gmx.net 2004-02-18 22:29:43 ----

RHEL 2.1AS erratum is a direct update of rh73's 2.7-28 package.

* missing "Buildrequires: libtermcap-devel"




------- Additional Comments From jkeating@j2solutions.net 2004-03-04 19:31:40 ----

Pushed to updates-testing.  updated to metamail-2.7-29.7.x.legacy, and used for
both 7.2/7.3.  Identical package.



------- Additional Comments From jpdalbec@ysu.edu 2004-03-10 07:30:05 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 7.3

705a844d64e11e4c7d13d70e2b7957bbb403a33f  libtool-1.4.2-13.legacy.i386.rpm
815821f416de6969939854dfa1a9215a93408040  libtool-libs-1.4.2-13.legacy.i386.rpm
a27699e22525617ba294320adaa58838bb7a6535  metamail-2.7-29.7.x.legacy.i386.rpm

* ldd output matches for all packages
* metamail passes basic functional tests (mimencode, attachment extraction)

I got a strange message from metamail, but it looks like this was caused by
the fact that wvHtml modifies /etc/mailcap on installation, but doesn't remove
the changes on uninstallation.
metamail output:
- ---
This message contains 'application/msword'-format data.
Do you want to view it using the 'mm.dWwOqN"' command (y/n) [y] ? n
- ---
/etc/mailcap entry:
- ---
application/msword; ns="%s"; tmp=`mktemp -q /tmp/${ns}.XXXXXX`; \
    /usr/bin/wvHtml "${ns}" -o ${tmp}; \
    netscape "file:${tmp}"; /bin/rm -f "${tmp}"
- ---
I guess the "command" string is coming from "file:${tmp}"?

* shadow-utils RPM builds OK with new libtool package - it uses libtoolize,
  --mode=compile, --mode=link, and --mode=install.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAT1AUJL4A+ldA7asRAp6QAJ0Z71bfwTThwdF/3wzPgjpUoVx4UACguK+w
u8TdSM6Mbaw6iT0CG7x+m7U=
=3J6N
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-03-10 21:35:48 ----

Do you have working /usr/bin/wvHtml?  I do not think that it ever shipped
as "standard" with any distribution.  This is part of wvWare which you
can find on Sourceforge.  If such action specified in 'mailcap' fails then
you see questions.

My "personal" mailcap entry for handling such attachments for a long while
reads:

application/msword; antiword %s; copiousoutput

but 'antiword' is something "extra" as well.




------- Additional Comments From jpdalbec@ysu.edu 2004-03-26 10:18:37 ----

I used to have wvHtml installed and I had my webmail software configured to use
it, but too many people were bothered by the fact that large documents took a
long time to convert and to render in the browser and also were not rendered
accurately.  I reconfigured the webmail software to serve up Word documents
as-is and removed wvWare.  I guess I forgot the /etc/mailcap change.



------- Additional Comments From rostetter@mail.utexas.edu 2004-04-05 11:09:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
For better or worse, I installed the metamail-2.7-29.7.x.legacy on
my RH 8.0 machine which uses metamail, and it is working without
problem.  Since it works fine on RH 8.0 when not even designed for
8.0, I'd say it is pretty stable ;)  I vote to publish!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFAccpf4jZRbknHoPIRAmiqAJ95UtcQM9mm+wpVu/eWbQ3P9YMiNACcCyAz
JszLc3ewAuonrTigAHxIHg0=
=6S7r
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal@phy.duke.edu 2004-04-30 18:26:23 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Installed on a 50-100 systems. No complaints from users, performs as expected.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAkybP1Aj3x2mIbMcRAif6AKCVW+Vva5marOpReWXWUigsb9m/VACfV3TM
91e947RFXXXKeTCtfDCUbyI=
=mDot
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:23 -------

This bug previously known as bug 1305 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1305
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.