Bug#309536: Possible security issue in mailleds.
Hi Dennis,
On Tue, May 17, 2005 at 11:38:51PM +0200, Dennis Stampfer wrote:
> Changing
> if(opt_maildir == 1) {
> to
> if(opt_maildir == 1 && opt_m) {
>
> will do the trick for -M -k. Do you have any notes on that?
That should prevent the segfault, I guess. Maybe you should add an error
message when -k is used together with any other parameters, AFAICS that
makes no sense anyways.
> > Note: I have CC'd the upstream author.
>
> Upstream is "dead". Since 1996..
Ah, ok. His email also bounced. I took the freedom to add mailleds to my
Unmaintained Free Software site:
http://www.unmaintained-free-software.org/wiki/Mailleds
Uwe.
--
Uwe Hermann <[EMAIL PROTECTED]>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
signature.asc
Description: Digital signature
Bug#309536: Possible security issue in mailleds.
Hi Uwe,
thanks for inspecting mailleds!
On Tue, May 17, 2005 at 10:03:13PM +0200, Uwe Hermann wrote:
(..)
> This is due to a bug in set_pidfilename() in pid.c:
>
> if(opt_maildir == 1) {
> i=strlen(opt_m);
> while(i && opt_m[i-1]!='/')
> --i;
> j=strlen(opt_m)-i;
> size+=j;
> }
>
> If opt_maildir == 1 (i.e. -M was given on the commandline) it tries to
> calculate strlen(opt_m). As opt_m is only initialized when -m is given on
> the commandline, this results in a strlen(NULL), which crashes the program.
Changing
if(opt_maildir == 1) {
to
if(opt_maildir == 1 && opt_m) {
will do the trick for -M -k. Do you have any notes on that?
> Note: I have CC'd the upstream author.
Upstream is "dead". Since 1996..
Dennis
pgpRYIYZKAS7P.pgp
Description: PGP signature
Bug#309536: Possible security issue in mailleds.
Package: mailleds
Version: 0.93-11
Severity: important
Hello,
I have found a (probably security-related) bug in mailleds which causes
it to segfault when it is given the -M and -k parameters, but not
the -m parameter.
Demonstration:
$ mailleds -M -m foo -k
mailleds: no process running for SOMEUSER
$ mailleds -M -k
Segmentation fault
This is due to a bug in set_pidfilename() in pid.c:
if(opt_maildir == 1) {
i=strlen(opt_m);
while(i && opt_m[i-1]!='/')
--i;
j=strlen(opt_m)-i;
size+=j;
}
If opt_maildir == 1 (i.e. -M was given on the commandline) it tries to
calculate strlen(opt_m). As opt_m is only initialized when -m is given on
the commandline, this results in a strlen(NULL), which crashes the program.
I found this bug when doing a security audit of some Debian packages.
Specifically, I used the bfbtester program on mailleds
(see http://packages.debian.org/unstable/source/bfbtester)
which hinted me in the right direction, and then proceeded by looking at
the code and using gdb.
As mailleds is setuid root, this bug could _potentially_ allow a local root
compromise. In this special case it doesn't seem to be possible, though.
Still, this bug should be fixed, maybe someone with more imagination
than I have is able to successfully exploit it.
Note: I have CC'd the upstream author.
// Uwe Hermann for the Debian Security Audit Project
http://www.debian.org/security/audit/
--
Uwe Hermann <[EMAIL PROTECTED]>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
signature.asc
Description: Digital signature
