--- Original Message --- Date: 1/13/2009 From: "Tomas Pospisek" <t...@sourcepole.ch> Subject: [Bug 217485] Re: stack smashing detected
On Tue, 13 Jan 2009, James Westby wrote: > The Debian bug suggests this is fixed, can anyone reproduce it > on Intrepid or Jaunty? I was debugging this for a while but it seemed to me that pgp4pine had more than one character array overflow - string overflows nota bene which are security relevant. Here's one bug that's on public record: pgp4pine (1.76-4) unstable; urgency=high * [Security]: Fix read buffer overflow Found by Eric AUGE: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0122.html Fix by Jacek Lipkowski: http://archives.neohapsis.com/archives/vulndiscuss/2003-q1/0126.html And here's a patch: diff -ruN pgp4pine-1.76.orig/pgp4pine/menus.c pgp4pine-1.76/pgp4pine/menus.c --- pgp4pine-1.76.orig/pgp4pine/menus.c 2001-04-09 18:23:37.000000000 +0200 +++ pgp4pine-1.76/pgp4pine/menus.c 2008-05-08 14:52:39.000000000 +0200 @@ -34,11 +34,13 @@ executed, EOF breaks directly */ return; } - else if ((readline[i++]=c) == '\n') + else if ((readline[i]=c) == '\n') { + if (i<(CONSOLE_IO_LINE_LENGTH-2)) i++; readline[i]='\0'; fertig=1; } + else if (i<(CONSOLE_IO_LINE_LENGTH-2)) i++; } fertig=0; Since IMO pgp4pine has issues with overflows and upstream hasn't been seen in the wild for a while, pgp4pine should be killed. The question however is how pine people would go about writing/reading gpg encrypted/signed mails? Could you please fix the Bug Status James? *t) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org