Your message dated Sun, 10 Jun 2007 16:49:10 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#392452: /usr/sbin/exim_dbmbuild: buffer overflow in
exim_dbmbuild
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: exim4-base
Version: 4.63-4
Severity: normal
File: /usr/sbin/exim_dbmbuild
Hello,
recently I noticed the following bits of code in the source file
src/exim_dbmbuild.c (function 'main'):
int main(int argc, char **argv)
{
uschar temp_dbmname[256];
uschar real_dbmname[256];
...
Ustrcpy(temp_dbmname, argv[arg+1]);
Ustrcat(temp_dbmname, ".dbmbuild_temp");
...
sprintf(CS real_dbmname, "%s.db", temp_dbmname);
where 'Ustrcpy' and 'Ustrcat' are functionally equivalent to 'strcpy'
and 'strcat'. Since command line arguments are not limited in size
and since the functions Ustrcpy, Ustrcat and sprintf do not include
any length checks on their arguments, this will easily overflow the
buffers 'temp_dbmname' and 'real_dbmname'.
Probably the following crash is a symptom of this:
[EMAIL PROTECTED] [~] touch xxx
[EMAIL PROTECTED] [~] /usr/sbin/exim_dbmbuild xxx $(python -c 'print
"a"*9999')
Segmentation fault
I hope this helps,
Jochen
-- Package-specific info:
Exim version 4.63 #1 built 01-Oct-2006 14:40:57
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 6, 2005)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis
nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Versions of packages exim4-base depends on:
ii adduser 3.97 Add and remove users and groups
ii cron 3.0pl1-98 management of regular background p
ii debconf [debconf-2.0] 1.5.6 Debian configuration management sy
ii exim4-config [exim4-config-2 4.63-4 configuration for the exim MTA (v4
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libdb4.3 4.3.29-6 Berkeley v4.3 Database Libraries [
ii lsb-base 3.1-17 Linux Standard Base 3.1 init scrip
ii netbase 4.27 Basic TCP/IP networking system
Versions of packages exim4-base recommends:
ii psmisc 22.3-1 Utilities that use the proc filesy
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Version: 4.67.1
On Sun, Jun 10, 2007 at 02:29:47PM +0100, Jochen Voss wrote:
> On Sun, Jun 10, 2007 at 03:19:23PM +0200, Marc Haber wrote:
> > > Probably the following crash is a symptom of this:
> > >
> > > [EMAIL PROTECTED] [~] touch xxx
> > > [EMAIL PROTECTED] [~] /usr/sbin/exim_dbmbuild xxx $(python -c 'print
> > > "a"*9999')
> > > Segmentation fault
> >
> > It now says "file name is ridiculously overlong".
>
> The problem seems to be fixed in current unstable.
Thanks, closing the bug.
> The segmentation fault is still present in stable.
Yes, it's going to stay that way.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
--- End Message ---
