-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, all.
I've discovered a bug in MIMEDefang versions up to 2.50. (2.51 is fixed.) The bug is a theoretical vulnerability only; I don't believe it's exploitable. Nevertheless, I suggest upgrading to 2.51 just to be prudent. A full description of the flaw follows. Regards, David. MIMEDefang Flaw Description =========================== In versions of MIMEDefang prior to 2.51, the "percent_encode" function in mimedefang.c had an error. An attacker could cause a single zero byte to be written up to 8kB beyond an allocated buffer. Note that this isn't a classic buffer overflow in which the attacker can write arbitrary data; instead, only a single zero byte can be written at an even memory address up to 8kB beyond the buffer. In order to carry out this attack, the attacker must be able to force a sender or recipient address into MIMEDefang that is longer than approximately 4kB. Since Sendmail rejects e-mail addresses longer than about 2kB, we do not believe it's possible to actually exploit this flaw via an SMTP session. Furthermore, default permissions on the MIMEDefang socket should prevent a local attack, since the default permissions do not permit normal local users to connect to MIMEDefang. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFCC6T0wYQuKhJvQuARAlm4AKCohmflo6Z/+7VVoPlCtJOn1KJQMQCfRyLc seTEr/FFbNu2vVA4uCY15V8= =oGb8 -----END PGP SIGNATURE----- _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang