Package: ssmtp Version: 2.64-4 I have a patch that fixes several issues with the parsing of the From line where a string scan could go off the end or the beginning of the string. For instance, if it finds a '(' (on a From line w/o a '<'...'>' bounded addr), it will scan past the end if no ')' is found. If a trailing is ')' is found, it will scan past the beginning if no '(' is found. And the trailing-space stripping function has a bug that makes it unsafe if called on an empty (or white-space only) string (e.g. the parsing of a From line that has only trailing spaces could trigger that bug).
In each failure case the code can potentially write a zero byte somewhere outside of the string's memory, possibly corrupting malloc pointers or other nearby data. In the addr_parse() case there is also the potential to return a random section of memory as the parsed address. My patch for these issues is here: http://opencoder.net/ssmtp-overscan.patch ..wayne.. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org