[Exim] buffer overflow?

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Jens Steube
Data:  
Para: exim-users
Assunto: [Exim] buffer overflow?
hi exim users,

i think i have found some type of buffer overflow in exim but i dont know
100% if it is an problem
coming from exim (maybe procmail or an distribution problem?) - you should
have the answer..
i've tested it in debian's potato and sid release. both seems to have the
same problem.
playing around a little with it - here some examples:


--- see, the spool directory was empty. all ok.
mail@pioneer:/var/spool/exim/input# ls -l
total 0


--- as user:
atomi@pioneer:~$ mail `perl -e 'print "A" x 2000'`
Subject:
.
Cc:
No message, no subject; hope that's ok


--- the spool directory now:
mail@pioneer:/var/spool/exim/input$ ls -l
total 16
-rw-------    1 mail     mail           19 Jun 17 15:45 15BcrX-0001AO-00-D
-rw-------    1 mail     mail         8487 Jun 17 15:45 15BcrX-0001AO-00-H
^^^^^^ mail was not delivered?



--- running runq (dont want to wait for the cronjob!):
mail@pioneer:/var/spool/exim/input$ /usr/sbin/exim -q
2001-06-17 15:47:53 queue run: process 4493 crashed with signal 11 while
delivering 15BcrX-0001AO-00


--- here is some other funny example (after manualy cleaning the spool):
atomi@pioneer:~$ mail `perl -e 'print "A" x 619'`@A
Subject:
.
Cc:
No message, no subject; hope that's ok



--- the spool directory now:
mail@pioneer:/var/spool/exim/input$ ls -l
total 4
-rw-------    1 mail     mail         2928 Jun 17 15:51 "?-H
^^^^^ strange filename :)



--- and look:
mail@pioneer:/var/spool/exim/input$ /usr/sbin/exim -q
^^^^^ no segfault now?!





mail@pioneer:/var/spool/exim/input$ ls -l
total 4
-rw-------    1 mail     mail         2928 Jun 17 15:51 "?-H
^^^^^ but file still there?!





...i dont know if this is exploitable. but beside that, the default
installed
cronjob which runs runq all 15 mins will write an error-notice and is
stressing around :)

cu,
jens "atomi" steube