Am 05.05.2009, 00:00 Uhr, schrieb <sv...@mk...>:
> Author: m-a
> Date: 2009-05-04 17:00:18 -0500 (Mon, 04 May 2009)
> New Revision: 5291
>
> Modified:
> branches/BRANCH_6-3/pop3.c
> branches/BRANCH_6-3/report.c
> branches/BRANCH_6-3/smtp.c
> Log:
> Fix format string bugs.
Note that these are uncritical, meaning they cannot be exploited to mount
attacks on fetchmail. Analysis:
pop3.c uses generated data of the TOP 12345 1 form => no % here => safe.
smtp.c uses report() to print string literals without placeholders,
possibly translated through gettext. The English strings do not contain %
fields. => safe. Even if a translation introduced %-strings, gettext()
would reject such fuzzy translations and use the English text instead.
report.c was sort-of-unsafe, but the bug was visible only for around 8
minutes, and never part of a release. Nevermind.
> Modified: branches/BRANCH_6-3/pop3.c
> ===================================================================
> --- branches/BRANCH_6-3/pop3.c 2009-05-04 21:52:32 UTC (rev 5290)
> +++ branches/BRANCH_6-3/pop3.c 2009-05-04 22:00:18 UTC (rev 5291)
> @@ -771,7 +771,7 @@
> int got_it;
> char buf [POPBUFSIZE+1];
> snprintf(buf, sizeof(buf), "TOP %d 1", num);
> - if ((ok = gen_transact(sock, buf )) != 0)
> + if ((ok = gen_transact(sock, "%s", buf)) != 0)
> return ok;
> got_it = 0;
> while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
>
> Modified: branches/BRANCH_6-3/report.c
> ===================================================================
> --- branches/BRANCH_6-3/report.c 2009-05-04 21:52:32 UTC (rev 5290)
> +++ branches/BRANCH_6-3/report.c 2009-05-04 22:00:18 UTC (rev 5291)
> @@ -274,7 +274,7 @@
> if (partial_message_size_used != 0)
> {
> partial_message_size_used = 0;
> - report(errfp, partial_message);
> + report(errfp, "%s", partial_message);
> partial_suppress_tag = 1;
> }
> }
>
> Modified: branches/BRANCH_6-3/smtp.c
> ===================================================================
> --- branches/BRANCH_6-3/smtp.c 2009-05-04 21:52:32 UTC (rev 5290)
> +++ branches/BRANCH_6-3/smtp.c 2009-05-04 22:00:18 UTC (rev 5291)
> @@ -55,7 +55,7 @@
> {
> SockPrintf(sock, "*\r\n");
> SockRead(sock, smtp_response, sizeof(smtp_response) - 1);
> - if (outlevel >= O_MONITOR) report(stdout, msg);
> + if (outlevel >= O_MONITOR) report(stdout, "%s", msg);
> }
> static void SMTP_auth(int sock, char smtp_mode, char *username, char
> *password, char *buf)
>
> _______________________________________________
> fetchmail-svn mailing list
> fet...@li...
> https://lists.berlios.de/mailman/listinfo/fetchmail-svn
--
Matthias Andree
|
