http://www.exim.org/bugzilla/show_bug.cgi?id=398
Summary: Buffer overflow in exim_dbmbuild?
Product: Exim
Version: 4.63
Platform: All
URL: http://bugs.debian.org/392452
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Unfiled
AssignedTo: ph10@???
ReportedBy: mh+exim-bugzilla@???
QAContact: exim-dev@???
Hi,
this is Debian issue #392452, reported by Jochen Voss:
> recently I noticed the following bits of code in the source file
> src/exim_dbmbuild.c (function 'main'):
>
> int main(int argc, char **argv)
> {
> uschar temp_dbmname[256];
> uschar real_dbmname[256];
> ...
> Ustrcpy(temp_dbmname, argv[arg+1]);
> Ustrcat(temp_dbmname, ".dbmbuild_temp");
> ...
> sprintf(CS real_dbmname, "%s.db", temp_dbmname)> ;
>
> where 'Ustrcpy' and 'Ustrcat' are functionally equivalent to 'strcpy'
> and 'strcat'. Since command line arguments are not limited in size
> and since the functions Ustrcpy, Ustrcat and sprintf do not include
> any length checks on their arguments, this will easily overflow the
> buffers 'temp_dbmname' and 'real_dbmname'.
>
> Probably the following crash is a symptom of this:
>
> voss@burmah [~] touch xxx
> voss@burmah [~] /usr/sbin/exim_dbmbuild xxx $(python -c 'print "a"*9999')
> Segmentation fault
Greetings
Marc
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
