qmail remote root patch
Anton Alin-Adrian
aanton at reversedhell.net
Mon Jan 19 11:55:19 PST 2004
Dinesh Nair wrote:
>On Mon, 19 Jan 2004, Anton Alin-Adrian wrote:
>
>
>>>Regarding latest qmail vulnerability, I coded this quickly patch.
>>>Please double-check me if I am wrong here. Forward this to
>>>freebsd-security please.
>>>320c320
>>>< ++pos;
>>>---
>>>
>>>
>>>
>>>
>>>> if (pos>9) ++pos;
>>>>
>>>>
>>http://www.guninski.com/qmailcrash.html
>>
>>
>
>woulnd't it be better to switch pos from an int to a u_int ? or do
>specific bounds checking before incrementing pos ? this patch seems to
>_only_ increment pos if it's > 9, and reading the code will show you where
>you're going to get into some problems. :)
>
>Regards, /\_/\ "All dogs go to heaven."
>dinesh at alphaque.com (0 0) http://www.alphaque.com/
>+==========================----oOO--(_)--OOo----==========================+
>| for a in past present future; do |
>| for b in clients employers associates relatives neighbours pets; do |
>| echo "The opinions here in no way reflect the opinions of my $a $b." |
>| done; done |
>+=========================================================================+
>
>
>
>
>
Please look in the thread, I already posted:
--- qmail-smtpd.c Mon Jun 15 13:53:16 1998
+++ qmail-smtpd-patched.c Mon Jan 19 15:22:23 2004
@@ -316,8 +316,8 @@
if (flagmaybex) if (pos == 7) ++*hops;
if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0;
if (flagmaybey) if (pos == 1) flaginheader = 0;
+ ++pos;
}
- ++pos;
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
}
switch(state) {
More information about the freebsd-hackers
mailing list