On Tue, 11 Mar 2003 19:05:51 -0800 Randall Gellens <rg_public.1@flagg.qualcomm.com> wrote: > The first I heard of the problem was this morning. Was any notice > sent to qpopper-bugs@qualcomm.com or qpopper-patches@qualcomm.com in > advance of the posting here? If so, please let me know the details > so I can see what happened to the message. If not, I'd like to know > why. > > A fixed Qpopper (version 4.0.5fc2) is available now at > <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>. I plan on > releasing 4.0.5 final tomorrow unless I hear of any problems with > 4.0.5fc2. > > -- > Randall Gellens > rg_public.1@flagg.qualcomm.com > Opinions are personal; facts are suspect; I speak for myself only Hello, Yesterday(2003-03-12) I've sent the following email to qpopper-bugs@qualcomm.com: ------------------------------ snip --------------------------------------- Dear Sir or Madam, Florian Heinz posted an exploit to gain shell access through qpopper. See http://nstx.dereference.de/snippets/qex.c. The reason is an unterminated bufferstring in Qvsnprintf. I looked at version 4.05fc2 and there is a change, but i think that change isn't correct. /* From File common/snprintf.c */ if ( nSize == 0 && *p != '\0' ) { *s = '\0'; return -1; } else return ( (n-1) - nSize ); /* when string that should be written to the buffer fits exactly, * than there will no Zero-Byte be written to buffer, cause the for * loop terminates when nSize is 0 and the terminating '\0' of p is not * copied to buffer ;-( */ Ithink, it should be written as : if ( nSize || *p=='\0') { *s++ = *p; return ( (n-1) - nSize ); } else{ *s++ = '\0'; return -1; } Please excuse my bad english. regards Harald Hellmuth ------------------------------ snap --------------------------------------- with best regards -- Harald Hellmuth E-Mail: hh@hostserver.de
