Bug#309536: Possible security issue in mailleds.
Hi Dennis, On Tue, May 17, 2005 at 11:38:51PM +0200, Dennis Stampfer wrote: > Changing > if(opt_maildir == 1) { > to > if(opt_maildir == 1 && opt_m) { > > will do the trick for -M -k. Do you have any notes on that? That should prevent the segfault, I guess. Maybe you should add an error message when -k is used together with any other parameters, AFAICS that makes no sense anyways. > > Note: I have CC'd the upstream author. > > Upstream is "dead". Since 1996.. Ah, ok. His email also bounced. I took the freedom to add mailleds to my Unmaintained Free Software site: http://www.unmaintained-free-software.org/wiki/Mailleds Uwe. -- Uwe Hermann <[EMAIL PROTECTED]> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de signature.asc Description: Digital signature
Bug#309536: Possible security issue in mailleds.
Hi Uwe, thanks for inspecting mailleds! On Tue, May 17, 2005 at 10:03:13PM +0200, Uwe Hermann wrote: (..) > This is due to a bug in set_pidfilename() in pid.c: > > if(opt_maildir == 1) { > i=strlen(opt_m); > while(i && opt_m[i-1]!='/') > --i; > j=strlen(opt_m)-i; > size+=j; > } > > If opt_maildir == 1 (i.e. -M was given on the commandline) it tries to > calculate strlen(opt_m). As opt_m is only initialized when -m is given on > the commandline, this results in a strlen(NULL), which crashes the program. Changing if(opt_maildir == 1) { to if(opt_maildir == 1 && opt_m) { will do the trick for -M -k. Do you have any notes on that? > Note: I have CC'd the upstream author. Upstream is "dead". Since 1996.. Dennis pgpRYIYZKAS7P.pgp Description: PGP signature
Bug#309536: Possible security issue in mailleds.
Package: mailleds Version: 0.93-11 Severity: important Hello, I have found a (probably security-related) bug in mailleds which causes it to segfault when it is given the -M and -k parameters, but not the -m parameter. Demonstration: $ mailleds -M -m foo -k mailleds: no process running for SOMEUSER $ mailleds -M -k Segmentation fault This is due to a bug in set_pidfilename() in pid.c: if(opt_maildir == 1) { i=strlen(opt_m); while(i && opt_m[i-1]!='/') --i; j=strlen(opt_m)-i; size+=j; } If opt_maildir == 1 (i.e. -M was given on the commandline) it tries to calculate strlen(opt_m). As opt_m is only initialized when -m is given on the commandline, this results in a strlen(NULL), which crashes the program. I found this bug when doing a security audit of some Debian packages. Specifically, I used the bfbtester program on mailleds (see http://packages.debian.org/unstable/source/bfbtester) which hinted me in the right direction, and then proceeded by looking at the code and using gdb. As mailleds is setuid root, this bug could _potentially_ allow a local root compromise. In this special case it doesn't seem to be possible, though. Still, this bug should be fixed, maybe someone with more imagination than I have is able to successfully exploit it. Note: I have CC'd the upstream author. // Uwe Hermann for the Debian Security Audit Project http://www.debian.org/security/audit/ -- Uwe Hermann <[EMAIL PROTECTED]> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de signature.asc Description: Digital signature