On Thu, 31 Aug 2000, Paul Slootman wrote: > On Thu 31 Aug 2000, Paul Slootman wrote: > > > Yuck. Smells like a serious buffer overflow somewhere. > > Upon a quick glance, there indeed appears to be no checks at all > for buffer overflows. A buf of 8k is allocated into which the > From:, Status:, X-Status, and X-Keywords: headers are placed, > with simple > > sprintf (buf + strlen (buf),"... > > commands. So having extremely long X-Keywords in mail messages > will screw things up. Double yuck. > > This is in imap-4.7c/src/osdep/unix/unix.c BTW. > > See the original message and the accompanying thread in debian-devel, > archive/latest/67244 , Message-ID <[EMAIL PROTECTED]> from > Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> >
Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3). This is only the tip of the iceberg however. There is a source code scanner called its4 which checks for unsafe coding practices and I ran it on imapd. The report was about a mile long :( Oddly enough I read that message and wasn't affected even though I use pine 4.21 and imapd. -- Jaldhar H. Vyas <[EMAIL PROTECTED]>