The mail command (all versions, including what ships with RH 6.0 and RH 6.1) is vulnerable to a binary zero in the first byte of a line of a mail message. When compiled with -O2 it gets a segmentation violation. Of course this is a bogus mail message but some software generates it as I received SPAM recently that had '\0' in the magic place and was unable to use the mail command. When -O2 was not used at compilation, the segmentation violation did not occur. I have attached a diff below showing one possible fix. For this diff, fio.c.old is the version with all shipped patches applied from mailx-8.1.1-9.src.rpm. Basically, the fix is to guarantee that there is at least one non-'\0' character in a line read from the message. If there is not (i.e., the first char is '\0') two problems occur: 1) count is zero, so "linebuf[count - 1] = 0" overlays the local variable "FILE *mestmp", causing a subsequent write to that file to get a segmentation violation since mestmp is invalid (this seems to occur only with -O2) 2) the manipulation of the message requires that there is some text in each line; an empty stored line is treated as the end of all messages. [root@k5 mailx-8.1.1]# diff -C 4 fio.c.old fio.c *** fio.c.old Fri Dec 31 16:00:49 1999 --- fio.c Sat Jan 1 16:12:06 2000 *************** *** 99,113 **** } makemessage(mestmp); return; } count = strlen(linebuf); (void) fwrite(linebuf, sizeof *linebuf, count, otf); if (ferror(otf)) { perror("/tmp"); exit(1); } ! linebuf[count - 1] = 0; if (maybe && linebuf[0] == 'F' && ishead(linebuf)) { msgCount++; if (append(&this, mestmp)) { perror("temporary file"); --- 99,128 ---- } makemessage(mestmp); return; } + /* + * In case we read some non-text, make sure there is + * at least one char before '\0'. Otherwise, we'll + * blow up later. + */ + + if (linebuf[0] == '\0') + linebuf[0] = '.'; + count = strlen(linebuf); (void) fwrite(linebuf, sizeof *linebuf, count, otf); if (ferror(otf)) { perror("/tmp"); exit(1); } ! ! /* ! * zap '\n' at end of line if there is one; ! * there won't be one if line length is >= than LINESIZE; ! */ ! if (linebuf[count - 1] == '\n') ! linebuf[count - 1] = 0; if (maybe && linebuf[0] == 'F' && ishead(linebuf)){ msgCount++; if (append(&this, mestmp)) { perror("temporary file"); [root@k5 mailx-8.1.1]#
*** Bug 3719 has been marked as a duplicate of this bug. ****** Bug 6859 has been marked as a duplicate of this bug. ***
I've applied your patch in mailx-8.1.1-10