The newsfetch package version 1.21 uses several insecure sscanf calls to read data out of a 501 byte buffer into a 100 byte buffer.
ce9615a1e335410069ba0ff6c7fd2586de29efc5340197e25eccbbcd305d9df9Bug description:
----------------
The newsfetch package version 1.21 and (unofficial JRF's) 1.4 uses
several insecure sscanf calls to read data out of a 501 byte buffer
into a 100 byte buffer. These sscanf functions can be abused by
malicious NNTP servers when sending large strings as a reply to a
LIST request ( -l option ).
Theoretically this issue can cause a security risk. However, I
haven't been able to find an exploitable condition. Still it would
be a good idea to patch this ;p
Also note that the lack of sscanf result checking can easily
cause newsfetch to crash when an uninitialized pointer is being
used. For example, if the server banner doesn't start with a number
(200) then newsfetch will crash immediately.
Fix for the overflow:
---------------------
niels@woof$ diff -u nntp.c.orig nntp.c
--- nntp.c.orig Thu Jul 23 12:03:11 1998
+++ nntp.c Wed Jan 19 11:10:22 2005
@@ -140,7 +140,8 @@
else
fprintf(rctmpfp,"%s",command_buf);
}
- items_read=sscanf(command_buf,"%s %d %d", group, &first_article, &max_article);
+ items_read=sscanf(command_buf,"%99s %d %d", group, &first_article, &max_article);
+ group[sizeof(group)-1] = '\0';
if(items_read < 2)
return(0);
return(items_read);
@@ -334,12 +335,14 @@
if(!get_error2(command_buf))
exit(1);
readNNTPdata();
- sscanf(command_buf,"%s",groupname);
+ sscanf(command_buf,"%99s",groupname);
+ groupname[sizeof(groupname)-1] = '\0';
while(command_buf[0] != '.' || command_buf[1] != 13 )/*|| command_buf[1] != 10)*/
{
fprintf(stderr,"%s\n",groupname);
readNNTPdata();
- sscanf(command_buf,"%s",groupname);
+ sscanf(command_buf,"%99s",groupname);
+ groupname[sizeof(groupname)-1] = '\0';
}
exit(1);
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed