Bug#392452: /usr/sbin/exim_dbmbuild: buffer overflow in exim_dbmbuild
Marc Haber
mh+debian-packages at zugschlus.de
Sun Jun 10 13:19:23 UTC 2007
user exim4 at packages.debian.org
usertags #392452 close-20070831
thanks
On Wed, Oct 11, 2006 at 07:48:12PM +0100, Jochen Voss wrote:
> recently I noticed the following bits of code in the source file
> src/exim_dbmbuild.c (function 'main'):
>
> int main(int argc, char **argv)
> {
> uschar temp_dbmname[256];
> uschar real_dbmname[256];
> ...
> Ustrcpy(temp_dbmname, argv[arg+1]);
> Ustrcat(temp_dbmname, ".dbmbuild_temp");
> ...
> sprintf(CS real_dbmname, "%s.db", temp_dbmname);
>
> where 'Ustrcpy' and 'Ustrcat' are functionally equivalent to 'strcpy'
> and 'strcat'. Since command line arguments are not limited in size
> and since the functions Ustrcpy, Ustrcat and sprintf do not include
> any length checks on their arguments, this will easily overflow the
> buffers 'temp_dbmname' and 'real_dbmname'.
Upstream says this was fixed.
> Probably the following crash is a symptom of this:
>
> voss at burmah [~] touch xxx
> voss at burmah [~] /usr/sbin/exim_dbmbuild xxx $(python -c 'print "a"*9999')
> Segmentation fault
It now says "file name is ridiculously overlong".
Does this fix the issue for you?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-exim4-maintainers
mailing list