[fetchmail-devel] recent format string fixes (was: r5291 - branches/BRANCH_6-3)

[Matthias A. <mat...@gm...>]

Am 05.05.2009, 00:00 Uhr, schrieb <sv...@mk...>:

> Author: m-a
> Date: 2009-05-04 17:00:18 -0500 (Mon, 04 May 2009)
> New Revision: 5291
>
> Modified:
>    branches/BRANCH_6-3/pop3.c
>    branches/BRANCH_6-3/report.c
>    branches/BRANCH_6-3/smtp.c
> Log:
> Fix format string bugs.

Note that these are uncritical, meaning they cannot be exploited to mount  
attacks on fetchmail. Analysis:

pop3.c uses generated data of the TOP 12345 1 form => no % here => safe.

smtp.c uses report() to print string literals without placeholders,  
possibly translated through gettext. The English strings do not contain %  
fields. => safe. Even if a translation introduced %-strings, gettext()  
would reject such fuzzy translations and use the English text instead.

report.c was sort-of-unsafe, but the bug was visible only for around 8  
minutes, and never part of a release. Nevermind.

> Modified: branches/BRANCH_6-3/pop3.c
> ===================================================================
> --- branches/BRANCH_6-3/pop3.c	2009-05-04 21:52:32 UTC (rev 5290)
> +++ branches/BRANCH_6-3/pop3.c	2009-05-04 22:00:18 UTC (rev 5291)
> @@ -771,7 +771,7 @@
>      int got_it;
>      char buf [POPBUFSIZE+1];
>      snprintf(buf, sizeof(buf), "TOP %d 1", num);
> -    if ((ok = gen_transact(sock, buf )) != 0)
> +    if ((ok = gen_transact(sock, "%s", buf)) != 0)
>         return ok;
>      got_it = 0;
>      while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
>
> Modified: branches/BRANCH_6-3/report.c
> ===================================================================
> --- branches/BRANCH_6-3/report.c	2009-05-04 21:52:32 UTC (rev 5290)
> +++ branches/BRANCH_6-3/report.c	2009-05-04 22:00:18 UTC (rev 5291)
> @@ -274,7 +274,7 @@
>      if (partial_message_size_used != 0)
>      {
>  	partial_message_size_used = 0;
> -	report(errfp, partial_message);
> +	report(errfp, "%s", partial_message);
>  	partial_suppress_tag = 1;
>      }
>  }
>
> Modified: branches/BRANCH_6-3/smtp.c
> ===================================================================
> --- branches/BRANCH_6-3/smtp.c	2009-05-04 21:52:32 UTC (rev 5290)
> +++ branches/BRANCH_6-3/smtp.c	2009-05-04 22:00:18 UTC (rev 5291)
> @@ -55,7 +55,7 @@
>  {
>      SockPrintf(sock, "*\r\n");
>      SockRead(sock, smtp_response, sizeof(smtp_response) - 1);
> -    if (outlevel >= O_MONITOR) report(stdout, msg);
> +    if (outlevel >= O_MONITOR) report(stdout, "%s", msg);
>  }
> static void SMTP_auth(int sock, char smtp_mode, char *username, char  
> *password, char *buf)
>
> _______________________________________________
> fetchmail-svn mailing list
> fet...@li...
> https://lists.berlios.de/mailman/listinfo/fetchmail-svn



-- 
Matthias Andree