From jeremyp@gsmx07.alcatel.com.au Thu Sep 30 21:39:32 1999
Return-Path: <jeremyp@gsmx07.alcatel.com.au>
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP id 6014614C06
	for <FreeBSD-gnats-submit@FreeBSD.ORG>; Thu, 30 Sep 1999 21:39:22 -0700 (PDT)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: by border.alcanet.com.au id <40354>; Fri, 1 Oct 1999 14:36:12 +1000
Message-Id: <99Oct1.143612est.40354@border.alcanet.com.au>
Date: Fri, 1 Oct 1999 14:39:16 +1000
From: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
Reply-To: peter.jeremy@alcatel.com.au
To: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Buffer overflow in mail(1)
X-Send-Pr-Version: 3.2

>Number:         14069
>Category:       bin
>Synopsis:       Buffer overflow in mail(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mikeh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 30 21:40:01 PDT 1999
>Closed-Date:    Tue Jun 12 15:39:04 PDT 2001
>Last-Modified:  Tue Jun 12 15:40:26 PDT 2001
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Alcatel Australia Limited
>Environment:

	cvs-cur 5710

>Description:

	Mail(1) gets SIGSEGV whilst processing mailbox.

>How-To-Repeat:

	Create a file containing the following (between the '===') and
	feed it to mail with `mail -f file'. (The mail addresses have
	been munged both to protect the guilty and to enable the
	location of the failure to be more accurately identified).

	Mail reports:
Mail version 8.1 6/6/93.  Type ? for help.
"file": 1 message 1 new
zsh: segmentation fault (core dumped)

================================================================
From aZZYZ.XZWZV@ZUZTZSZ.RZQ.ZP Mon Sep 27 18:11:11 1999
Return-Path: <ZOZNZ.MZLZK@ZJZIZHZ.GZF.ZE>
Received: from ZDZCZB.ZAZzZyZ.xZw.Zv (ZuZtZs.ZrZqZpZ.oZn.Zm [139.188.20.1])
	by ZlZkZj.ZiZhZgZ.fZe.Zd (8.9.3/8.9.3) with ESMTP id SAA17296
	for <jeremyp@ZcZbZa.YYXYWYV.YUY.TY>; Mon, 27 Sep 1999 18:11:10 +1000 (EST)
	(envelope-from SYRYQ.YPYOY@NYMYLYK.YJY.IY)
Received: from HYGY.FYE.YDYCYBY.AYz.Yy (mfg1 [139.188.23.1]) by YxYwYv.YuYtYsY.rYq.Yp (8.8.8/8.7.3) with ESMTP id SAA15285 for <jeremyp@YoYnYm.YlYkYjY.iYh.Yg>; Mon, 27 Sep 1999 18:11:10 +1000 (EST)
Received: from YfYeYd.YcYbYaX.XWX.VX by UXT.XSXRXQX.PXO.XN
 (PMDF V5.2-32 #37641) with ESMTP id <01JGH2YWZRSWBL6YMG@XMX.LXKXJXI.XHX.GX>
 for jeremyp@FXEXDX.CXBXAXz.XyX.xX (ORCPT rfc822;wXvXu.XtXsXr@XqXpXoX.nXm.Xl)
 ; Mon, 27 Sep 1999 18:09:45 +1000
Received: (from prdadm@localhost)
 by XkXjXi.XhXgXfX.eXd.Xc (AIX4.3/UCB 8.8.8/8.8.8)
 id SAA27452 for XbXaW.WVWUWT@WSWRWQW.PWO.WN; Mon, 27 Sep 1999 18:05:26 +1000
Date: Mon, 27 Sep 1999 18:05:26 +1000
From: WMWLW.KWJWI@WHWGWFW.EWD.WC (KYLIE SMITH)
Subject: Notification of future termination xxxxxxxx
To: WBW_AWzWyWxW@wWvWuW.tWsWrWq.WpW.oW
To: nWm_WlWkWjWi@WhWgWf.WeWdWcW.bWa.VV
To: UVT_VS@VRVQVP.VOVNVMV.LVK.VJ
To: VIV_HVGVFVE@VDVCVB.VAVzVyV.xVw.Vv
To: VuV_tVsVrVqV@pVoVnV.mVlVkVj.ViV.hV
To: gVf_VeVdV@cVbVaU.UTUSURU.QUP.UO
To: UNU_MULUKU@JUIUHU.GUFUEUD.UCU.BU
To: AUz_UyUxUw@UvUuUt.UsUrUqU.pUo.Un
To: UmU_lU@kUjUiU.hUgUfUe.UdU.cU
To: bUa_TTSTRTQT@PTOTNT.MTLTKTJ.TIT.HT
To: GTFTETDT.CTBTAT@zTyTxTw.TvT.uT
To: tTsTr.TqTpTo@TnTmTlT.kTj.Ti
To: ThTgTfT.eTdTcT@bTaSSRS.QSP.SO
To: SNSMSLSKSJ.SISHSGS@FSESDSC.SBS.AS
To: zSySxSwS.vSuStS@sSrSqSp.SoS.nS
To: mSlSkS.jS@iShSgSf.SeS.dS
To: cSbS.aRRQR@PRORNRM.RLR.KR
To: JRIRH.RGR@FRERDRC.RBR.AR
To: zRyRx.RwRv@RuRtRsR.rRq.Rp
To: RoRnRmRl.RkRjRi@RhRgRfR.eRd.Rc
To: RbRa.QQPQOQNQ@MQLQKQJ.QIQ.HQ
To: GQFQEQDQCQ.BQAQzQy@QxQwQvQ.uQt.Qs
To: QrQqQp.QoQnQmQ@lQkQjQi.QhQ.gQ
To: fQeQdQcQbQa.PPOPNPMPLP@KPJPIPH.PGP.FP
To: EPDPCPBP.APzP@yPxPwPv.PuP.tP
To: sPr.PqPpP@oPnPmPl.PkP.jP
To: iPhPgP.fPePd@PcPbPaO.ONO.MO
To: LOK.OJO@IOHOGOF.OEO.DO
To: COBO.AOzOyOxOw@OvOuOtO.sOr.Oq
To: OpOoOn.OmOlOkOjOiOhO@gOfOeOd.OcO.bO
To: aNNMN.LNKNJN@INHNGNF.NEN.DN
To: CNBNA.NzNyN@xNwNvNu.NtN.sN
To: rNqN.pNoNnNmN@lNkNjNi.NhN.gN
To: fNeN.dNcNb@NaMMLMK.MJM.IM
Reply-to: HMGMF.MEMDM@CMBMAMz.MyM.xM (KYLIE SMITH)
Message-id: <wMvMuMtMsMrM.qMp27452@MoMnMm.MlMkMjM.iMh.Mg>
MIME-version: 1.0
X-Mailer: SAP R/3 Internet Mail Gateway 3.1I8
Content-type: TEXT/PLAIN; CHARSET="ISO-8859-1"
Content-transfer-encoding: 7BIT

Termination Date : 01.10.1999

Employee No: xxxxxxxx UPI: ZZxxxxxxx
Employee Name : Xxxxx Xxxxxxx Xxxxxx
Work Address : A.2/1F .
Phone Extension :
Position title : xxxxxxxx xxxxxxx xxxxxxxxxx
Department : xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx
Supervisor : Zxxxx Yttttt

================================================================

	Invoking gdb on the core file shows %ebp contains 0x4d492e4d,
	which is "M.IM" after byte reversal.  This appears in the
	last `To:' address above.

>Fix:

	The work-around I implemented was:
	# cd /usr/ports/mail/mutt
	# make
	# make install
	:-)

	I found (and fixed) what appeared to be a number of potential
	buffer overflows in copyin(), nextword() and parse() (all of
	which take char array with no size as an argument).  This
	didn't help.

	Further investigation with gdb shows that skin() reads
	arbitrarily-sized input into a fixed size buffer.  A quick
	fix for this is below.  This fixed my problem with the
	above message, but I don't know if it's safe in general.

Index: aux.c
===================================================================
RCS file: /home/CVSROOT/src/usr.bin/mail/aux.c,v
retrieving revision 1.4
diff -u -r1.4 aux.c
--- aux.c	1997/07/24 06:56:33	1.4
+++ aux.c	1999/10/01 04:32:09
@@ -456,7 +456,7 @@
 	register char *cp, *cp2;
 	char *bufend;
 	int gotlt, lastsp;
-	char nbuf[BUFSIZ];
+	char *nbuf = alloca(strlen(name));
 
 	if (name == NOSTR)
 		return(NOSTR);


Peter
--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5982

>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: peter.jeremy@alcatel.com.au
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/14069: Buffer overflow in mail(1)
Date: Fri, 1 Oct 1999 18:28:49 +0300

 On Fri, Oct 01, 1999 at 02:39:16PM +1000, Peter Jeremy wrote:
 > 
 > >Description:
 > 
 > 	Mail(1) gets SIGSEGV whilst processing mailbox.
 > 
 > >How-To-Repeat:
 > 
 > 	Create a file containing the following (between the '===') and
 > 	feed it to mail with `mail -f file'. (The mail addresses have
 > 	been munged both to protect the guilty and to enable the
 > 	location of the failure to be more accurately identified).
 > 
 > 	Mail reports:
 > Mail version 8.1 6/6/93.  Type ? for help.
 > "file": 1 message 1 new
 > zsh: segmentation fault (core dumped)
 > 
 Not for me:
 
 Script started on Fri Oct  1 18:26:18 1999
 Mail version 8.1 6/6/93.  Type ? for help.
 "file": 1 message 1 new
 >N  1 WMWLW.KWJWI@WHWGWFW.  Mon Sep 27 18:11  68/2789  "Notification of futur"
 & q
 "file" complete
 
 Script done on Fri Oct  1 18:26:20 1999
 
 
 Could you please gzip and send me your test mbox?
 
 
 Thanks,
 -- 
 Ruslan Ermilov		Sysadmin and DBA of the
 ru@ucb.crimea.ua	United Commercial Bank,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.247.647	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
State-Changed-From-To: open->feedback 
State-Changed-By: mikeh 
State-Changed-When: Thu Mar 29 21:32:05 PST 2001 
State-Changed-Why:  



Responsible-Changed-From-To: freebsd-bugs->mikeh 
Responsible-Changed-By: mikeh 
Responsible-Changed-When: Thu Mar 29 21:32:05 PST 2001 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=14069 

From: Mike Heffner <mheffner@vt.edu>
To: mikeh@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org
Cc: freebsd-bugs@FreeBSD.org, peter.jeremy@alcatel.com.au
Subject: Re: bin/14069: Buffer overflow in mail(1)
Date: Fri, 30 Mar 2001 01:04:30 -0500 (EST)

 I messed up this PR change, the following is what should have been included:
 
 On 30-Mar-2001 mikeh@FreeBSD.org wrote:
 | Synopsis: Buffer overflow in mail(1)
 | 
 | State-Changed-From-To: open->feedback
 | State-Changed-By: mikeh
 | State-Changed-When: Thu Mar 29 21:32:05 PST 2001
 | State-Changed-Why: 
 
 Please test the recent changes I've committed that address multiple overflow
 issues.
 
 | Responsible-Changed-From-To: freebsd-bugs->mikeh
 | Responsible-Changed-By: mikeh
 | Responsible-Changed-When: Thu Mar 29 21:32:05 PST 2001
 | Responsible-Changed-Why: 
 
 I've just committed multiple overflow fixes that probably fix this problem.
 
 | 
 | http://www.freebsd.org/cgi/query-pr.cgi?pr=14069
 
 
 Mike
 
 -- 
   Mike Heffner       <mheffner@vt.edu>
   Blacksburg, VA   <mikeh@FreeBSD.org>
   http://filebox.vt.edu/users/mheffner
 
State-Changed-From-To: feedback->closed 
State-Changed-By: mikeh 
State-Changed-When: Tue Jun 12 15:39:04 PDT 2001 
State-Changed-Why:  
Fix has been MFCed. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=14069 
>Unformatted:
