Package: mailleds Version: 0.93-11 Severity: important Hello,
I have found a (probably security-related) bug in mailleds which causes
it to segfault when it is given the -M and -k parameters, but not
the -m parameter.
Demonstration:
$ mailleds -M -m foo -k
mailleds: no process running for SOMEUSER
$ mailleds -M -k
Segmentation fault
This is due to a bug in set_pidfilename() in pid.c:
if(opt_maildir == 1) {
i=strlen(opt_m);
while(i && opt_m[i-1]!='/')
--i;
j=strlen(opt_m)-i;
size+=j;
}
If opt_maildir == 1 (i.e. -M was given on the commandline) it tries to
calculate strlen(opt_m). As opt_m is only initialized when -m is given on
the commandline, this results in a strlen(NULL), which crashes the program.
I found this bug when doing a security audit of some Debian packages.
Specifically, I used the bfbtester program on mailleds
(see http://packages.debian.org/unstable/source/bfbtester)
which hinted me in the right direction, and then proceeded by looking at
the code and using gdb.
As mailleds is setuid root, this bug could _potentially_ allow a local root
compromise. In this special case it doesn't seem to be possible, though.
Still, this bug should be fixed, maybe someone with more imagination
than I have is able to successfully exploit it.
Note: I have CC'd the upstream author.
// Uwe Hermann for the Debian Security Audit Project
http://www.debian.org/security/audit/
--
Uwe Hermann <[EMAIL PROTECTED]>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
signature.asc
Description: Digital signature
