[exim-dev] [Bug 398] New: Buffer overflow in exim_dbmbuild?

Top Page
Delete this message
Reply to this message
Author: World Wide Web Owner
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 398] New: Buffer overflow in exim_dbmbuild?
http://www.exim.org/bugzilla/show_bug.cgi?id=398

           Summary: Buffer overflow in exim_dbmbuild?
           Product: Exim
           Version: 4.63
          Platform: All
               URL: http://bugs.debian.org/392452
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Unfiled
        AssignedTo: ph10@???
        ReportedBy: mh+exim-bugzilla@???
         QAContact: exim-dev@???



Hi,

this is Debian issue #392452, reported by Jochen Voss:
> recently I noticed the following bits of code in the source file
> src/exim_dbmbuild.c (function 'main'):
>
>     int main(int argc, char **argv)
>     {
>     uschar  temp_dbmname[256];
>     uschar  real_dbmname[256];
>     ...
>     Ustrcpy(temp_dbmname, argv[arg+1]);
>     Ustrcat(temp_dbmname, ".dbmbuild_temp");
>     ...
>     sprintf(CS real_dbmname, "%s.db", temp_dbmname)> ;

>
> where 'Ustrcpy' and 'Ustrcat' are functionally equivalent to 'strcpy'
> and 'strcat'. Since command line arguments are not limited in size
> and since the functions Ustrcpy, Ustrcat and sprintf do not include
> any length checks on their arguments, this will easily overflow the
> buffers 'temp_dbmname' and 'real_dbmname'.
>
> Probably the following crash is a symptom of this:
>
>     voss@burmah [~] touch xxx
>     voss@burmah [~] /usr/sbin/exim_dbmbuild xxx $(python -c 'print "a"*9999')
>     Segmentation fault


Greetings
Marc



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.