-------- Original Message -------- Subject: Security Alert; possible buffer overflow in all Mathopd versions Date: Thu, 4 Dec 2003 22:33:26 +0100 (CET) From: Michiel Boland <michiel@boland.org> To: mathopd@mathopd.org
Hi.
During some testing, I came across a rather stupid and embarassing buffer overflow in request.c in all Mathopd versions up to and including 1.5b13. The problem is in the prepare_reply() function that allocates space for a buffer on the stack that may be too small for whatever goes into it. This can lead to crashes, or even system compromise. I am amazed that nobody has spotted the problem before; obviously not many people are using this software. :}
Anyway, I have patched things up now so that things should be ok.
Read the table below for any action that you must take if you run mathopd. The table informs you, for each particular version, whether it is vulnerable to remote exploits of this bug, and whether an upgrade exists, and which one you should use.
Branch/Version Status --------------------------------------------------------------------- 1.2 and older Probably vulnerable, not supported 1.3 before pl8 Probably vulnerable, upgrade advised 1.3pl8 Patched, otherwise not supported (use 1.4p2 instead) 1.4 before p2 Definitely vulnerable, upgrade immediately to 1.4p2 1.4p2 Not vulnerable
BETA versions:
1.5 before b14 Vulnerable 1.5b14 Not vulnerable ---------------------------------------------------------------------
In short: all versions in the 1.3, 1.4 and current branch are fixed (at least for this particular problem.) If you run 1.3 at this moment, you may be all right, but it is probably wise to upgrade anyway. If you run 1.4 right now you are in trouble; please upgrade as soon as possible.
The patched versions are available for immediate download on the Mathopd website.
Sorry about this. This has not been a good week.
Cheers Michiel
