From troy@scoliosis.toadshow.com.au  Mon Sep  4 23:27:43 2000
Return-Path: <troy@scoliosis.toadshow.com.au>
Received: from scoliosis.toadshow.com.au (scoliosis.toadshow.com.au [203.55.174.154])
	by hub.freebsd.org (Postfix) with ESMTP id 44EA537B423
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  4 Sep 2000 23:27:41 -0700 (PDT)
Received: (from troy@localhost)
	by scoliosis.toadshow.com.au (8.11.0/8.11.0) id e856VmZ07941;
	Tue, 5 Sep 2000 16:31:48 +1000 (EST)
	(envelope-from troy)
Message-Id: <200009050631.e856VmZ07941@scoliosis.toadshow.com.au>
Date: Tue, 5 Sep 2000 16:31:48 +1000 (EST)
From: Troy Bell <troy@asiaonline.net>
Sender: troy@scoliosis.toadshow.com.au
Reply-To: troy@asiaonline.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: popper3 dumps core
X-Send-Pr-Version: 3.2

>Number:         21055
>Category:       ports
>Synopsis:       popper3 dumps core
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 04 23:30:02 PDT 2000
>Closed-Date:    Fri Nov 24 03:12:25 PST 2000
>Last-Modified:  Fri Nov 24 03:13:40 PST 2000
>Originator:     Troy Bell
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
Asia Online Brisbane
>Environment:

qpopper version 3.0.2

>Description:

This server handles mail for a MAC network.

All MAC email clients, such as netscape mail, eudora, etc. work fine
with qpopper, but when using Microsoft Outlook Express for the MAC
to check mail from the server, it "doesn't work".

Qpopper dumps core, and terminates the current session (if any) with
the user:

Sep  5 15:51:59 scoliosis /kernel: pid 3573 (popper3), uid 0:
exited on signal 11 (core dumped)
Sep  5 15:56:12 scoliosis /kernel: pid 3586 (popper3), uid 0:
exited on signal 11 (core dumped)

GDB backtrace:

Core was generated by `popper3'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libmd.so.2...done.
Reading symbols from /usr/lib/libutil.so.3...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x80565b8 in Qvsnprintf (s=0xbfbfe5eb "", n=1016, 
    format=0x8058700 " not available (user %s): %s (%s)", 
    ap=0xbfbfe9b4 "\005\bsf\005\b\001") at snprintf.c:230
230                     if ( width != -1 && width > strlen(sval) ) {
(gdb) bt
#0  0x80565b8 in Qvsnprintf (s=0xbfbfe5eb "", n=1016, 
    format=0x8058700 " not available (user %s): %s (%s)", 
    ap=0xbfbfe9b4 "\005\bsf\005\b\001") at snprintf.c:230
#1  0x804c4ba in pop_msg (p=0xbfbff6f0, stat=POP_FAILURE, fn=0x0, ln=0, 
    format=0x8058700 " not available (user %s): %s (%s)") at pop_msg.c:102
#2  0x8050844 in pop_apop (p=0xbfbff6f0) at pop_apop.c:182
#3  0x804ed9d in main (argc=1, argv=0xbfbffcf0) at popper.c:225
#4  0x8049a75 in _start ()

--

This happens every time the user checks mail (was noticable when the
user had her mail client set to check email every 5 minutes).

These MACs are connecting to this mailserver via a linux box
that does masquerading (so it's not a "direct" connection as such).
The linux box is running kernel 2.2.16.

>How-To-Repeat:

POP your mail using MS Outlook Express for MAC.

>Fix:

No known workaround from our end.

Hoping you can provide one, as UID 0 and snprintf() doesn't sound
nice together :) (let's hope it's not exploitable, if it is indeed
a problem).

>Release-Note:
>Audit-Trail:

From: Rod Taylor <rbt@zort.on.ca>
To: freebsd-gnats-submit@FreeBSD.org, troy@asiaonline.net
Cc:  
Subject: Re: ports/21055: popper3 dumps core
Date: Wed, 22 Nov 2000 23:12:33 -0500

 This appears to have been fixed with qpopper 3.1 series.
 
 ----------
 Rod Taylor
 
State-Changed-From-To: open->feedback 
State-Changed-By: sobomax 
State-Changed-When: Thu Nov 23 08:26:07 PST 2000 
State-Changed-Why:  
Reportedly, this bug has been fixed in qpopper 3.1. Please confirm. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21055 
State-Changed-From-To: feedback->closed 
State-Changed-By: roam 
State-Changed-When: Fri Nov 24 03:12:25 PST 2000 
State-Changed-Why:  
Originator confirmed bug fixed in qpopper 3.1. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21055 
>Unformatted:
