Hi Jens,
I can't reproduce this problem using a "manually-compiled" exim
(Exim version 3.22 #2 built 13-Jun-2001 13:36:44).
> -----Ursprüngliche Nachricht-----
> Von: exim-users-admin@??? [mailto:exim-users-admin@exim.org]Im
> Auftrag von Jens Steube
> Gesendet: Sonntag, 17. Juni 2001 16:18
> An: exim-users@???
> Betreff: [Exim] buffer overflow?
>
>
>
> hi exim users,
>
> i think i have found some type of buffer overflow in exim but i dont know
> 100% if it is an problem
> coming from exim (maybe procmail or an distribution problem?) - you should
> have the answer..
> i've tested it in debian's potato and sid release. both seems to have the
> same problem.
> playing around a little with it - here some examples:
>
>
> --- see, the spool directory was empty. all ok.
> mail@pioneer:/var/spool/exim/input# ls -l
> total 0
>
>
> --- as user:
> atomi@pioneer:~$ mail `perl -e 'print "A" x 2000'`
> Subject:
> .
> Cc:
> No message, no subject; hope that's ok
>
>
> --- the spool directory now:
> mail@pioneer:/var/spool/exim/input$ ls -l
> total 16
> -rw------- 1 mail mail 19 Jun 17 15:45 15BcrX-0001AO-00-D
> -rw------- 1 mail mail 8487 Jun 17 15:45 15BcrX-0001AO-00-H
> ^^^^^^ mail was not delivered?
>
>
> --- running runq (dont want to wait for the cronjob!):
> mail@pioneer:/var/spool/exim/input$ /usr/sbin/exim -q
> 2001-06-17 15:47:53 queue run: process 4493 crashed with signal 11 while
> delivering 15BcrX-0001AO-00
>
>
> --- here is some other funny example (after manualy cleaning the spool):
> atomi@pioneer:~$ mail `perl -e 'print "A" x 619'`@A
> Subject:
> .
> Cc:
> No message, no subject; hope that's ok
>
>
>
> --- the spool directory now:
> mail@pioneer:/var/spool/exim/input$ ls -l
> total 4
> -rw------- 1 mail mail 2928 Jun 17 15:51 "?-H
> ^^^^^ strange filename :)
>
>
> --- and look:
> mail@pioneer:/var/spool/exim/input$ /usr/sbin/exim -q
> ^^^^^ no segfault now?!
>
>
>
>
>
> mail@pioneer:/var/spool/exim/input$ ls -l
> total 4
> -rw------- 1 mail mail 2928 Jun 17 15:51 "?-H
> ^^^^^ but file still there?!
>
>
>
>
> ...i dont know if this is exploitable. but beside that, the default
> installed
> cronjob which runs runq all 15 mins will write an error-notice and is
> stressing around :)
>
> cu,
> jens "atomi" steube
>
>
>
>
> --
> ## List details at
http://www.exim.org/mailman/listinfo/exim-users Exim details at
http://www.exim.org/ ##