Description of problem: Runnings newsx to fetch http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/109986 generates an | *** stack smashing detected ***: newsx(news.gmane.org) gmane.mail.spam.spamassassin.general 109996 terminated abort. This is caused by --- src/getarticle.c --- static int read_article(long where,char *group) { char linebuf[MAX_HEADER_SIZE+1], *line; ... line=linebuf; ... for (;;) { if (!get_server_msg(line, MAX_HEADER_SIZE)) { ... if (line[1]=='.') { /* escape-period, remove it */ line++; len--; ------------- i.e. 'line' grows and grows when a line starts with '.'. Having hundreds of such lines make 'linebuf[]' overflow and it is possible to place arbitrary data on stack. Fix would be probably | - if (!get_server_msg(line, MAX_HEADER_SIZE)) { | + if (!get_server_msg(linebuf, MAX_HEADER_SIZE)) { but is untested. Stack-smash detection protects against remote code execution. Nevertheless, it causes lot of traffic (newsx fetches articles but aborts before updating 'active' file) Version-Release number of selected component (if applicable): newsx-1.6-8.fc9.x86_64 How reproducible: 100%
mmh... it's too late and no coffee... Proposed fix won't work; instead of the | line=linebuf must be moved into the loop.
I believe your analysis is incorrect. line pointer gets reset in if (!get_server_msg(line, MAX_HEADER_SIZE)) { /* timeout: simply give up */ return 0; } I'll try to reproduce the crash and see what I can do about it.
... or it actually doesn't get reset. After running it through gdb I can see that what you described is actually happening. I'll have a fixed build after I've tested the fix.
Created attachment 311653 [details] patch to fix the issue Attached patch fixes the issue. Updated build will be available shortly.
Created attachment 311654 [details] patch to fix the issue Obviously the previous patch is wrong. We can't access line[N] before it's initialised.
newsx-1.6-9.fc9 has been submitted as an update for Fedora 9
newsx-1.6-8.fc8 has been submitted as an update for Fedora 8
newsx-1.6-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
newsx-1.6-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-3252 was allocated for this issue: Stack-based buffer overflow in the read_article function in getarticle.c in newsx 1.6 allows remote attackers to execute arbitrary code via a news article containing a large number of lines starting with a period.