Package: mailleds Version: 0.93-11 Severity: important Hello,
I have found a (probably security-related) bug in mailleds which causes it to segfault when it is given the -M and -k parameters, but not the -m parameter. Demonstration: $ mailleds -M -m foo -k mailleds: no process running for SOMEUSER $ mailleds -M -k Segmentation fault This is due to a bug in set_pidfilename() in pid.c: if(opt_maildir == 1) { i=strlen(opt_m); while(i && opt_m[i-1]!='/') --i; j=strlen(opt_m)-i; size+=j; } If opt_maildir == 1 (i.e. -M was given on the commandline) it tries to calculate strlen(opt_m). As opt_m is only initialized when -m is given on the commandline, this results in a strlen(NULL), which crashes the program. I found this bug when doing a security audit of some Debian packages. Specifically, I used the bfbtester program on mailleds (see http://packages.debian.org/unstable/source/bfbtester) which hinted me in the right direction, and then proceeded by looking at the code and using gdb. As mailleds is setuid root, this bug could _potentially_ allow a local root compromise. In this special case it doesn't seem to be possible, though. Still, this bug should be fixed, maybe someone with more imagination than I have is able to successfully exploit it. Note: I have CC'd the upstream author. // Uwe Hermann for the Debian Security Audit Project http://www.debian.org/security/audit/ -- Uwe Hermann <[EMAIL PROTECTED]> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de
signature.asc
Description: Digital signature