|
|
|
|
| |
newsfetch is "a powerfull utility to fetch news from an NNTP server and stores in the mailbox format. The files created by newsfetch can be used with any mail reader".
Due to poor handling of provided that an attacker can cause newsfetch to overflow an internal buffer. |
| |
Credit:
The information has been provided by Niels Heinen.
|
| |
The newsfetch package version 1.21 and (unofficial JRF's) 1.4 uses several insecure sscanf calls to read data out of a 501 byte buffer into a 100 byte buffer. These sscanf functions can be abused by malicious NNTP servers when sending large strings as a reply to a LIST request ( -l option ).
Also note that the lack of sscanf result checking can easily cause newsfetch to crash when an uninitialized pointer is being used. For example, if the server banner doesn't start with a number (200) then newsfetch will crash immediately.
Unofficial patch:
niels@woof$ diff -u nntp.c.orig nntp.c
--- nntp.c.orig Thu Jul 23 12:03:11 1998
+++ nntp.c Wed Jan 19 11:10:22 2005
@@ -140,7 +140,8 @@
else
fprintf(rctmpfp,"%s",command_buf);
}
- items_read=sscanf(command_buf,"%s %d %d", group, &first_article, &max_article);
+ items_read=sscanf(command_buf,"%99s %d %d", group, &first_article, &max_article);
+ group[sizeof(group)-1] = '\0';
if(items_read < 2)
return(0);
return(items_read);
@@ -334,12 +335,14 @@
if(!get_error2(command_buf))
exit(1);
readNNTPdata();
- sscanf(command_buf,"%s",groupname);
+ sscanf(command_buf,"%99s",groupname);
+ groupname[sizeof(groupname)-1] = '\0';
while(command_buf[0] != '.' || command_buf[1] != 13 )/*|| command_buf[1] != 10)*/
{
fprintf(stderr,"%s\n",groupname);
readNNTPdata();
- sscanf(command_buf,"%s",groupname);
+ sscanf(command_buf,"%99s",groupname);
+ groupname[sizeof(groupname)-1] = '\0';
}
exit(1);
|
|
|
|
|
