At 04:09 PM 7/21/97 -0600, Pete Ashdown wrote:
>>From: djb@??? (D. J. Bernstein)
>>Source code pointers: exim checks for :include: in .forward files at
>>line 1031 of exim/parse.c. At line 1034 it defines a buffer of 256
>>characters. It copies the :include: filename into the buffer. If the
>>first character of the filename is not a slash, it returns immediately.
>>
>>Exploit: Run exim -bt you@???, with appropriate code in the
>>environment, with an appropriate :include: filename in ~/.forward.
Patch:
+ /* if len-9 > 256 then truncate the string! */
+ if (len > 255+9) len = 255+9;
strncpy(filename, s+9, len-9);
I don't have BSD so I can't test this, but this will definitely prevent the
buffer overflow.
A more intelligent patch might alloc/malloc space of the appropriate size,
but this is a faster fix.
--
Jawaid Bazyar | Affordable WWW & Internet Solutions
Interlink Advertising Svcs | for Small Business
bazyar@??? | P.O Box 641 (303) 781-3273
--The Future is Now!-- | Englewood, CO 80151-0641 (303) 789-4197 fax