From owner-freebsd-ports  Mon Oct 22 23:42: 3 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from robbins.dropbear.id.au (173.b.006.mel.iprimus.net.au [210.50.45.173])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6638C37B401; Mon, 22 Oct 2001 23:41:51 -0700 (PDT)
Received: (from tim@localhost)
	by robbins.dropbear.id.au (8.11.6/8.11.6) id f9N6c5C23557;
	Tue, 23 Oct 2001 16:38:05 +1000 (EST)
	(envelope-from tim)
Date: Tue, 23 Oct 2001 16:38:05 +1000
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: ports@FreeBSD.ORG
Cc: ache@FreeBSD.ORG
Subject: munpack from converters/mpack heap overflow vuln
Message-ID: <20011023163805.A23527@mango.robbins.dropbear.id.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

Hi

munpack, part of CMU mpack version 1.5 which is in ports/converters/mpack
contains a heap buffer overflow vulnerability in the header parsing code.

The functions getParam() and getDispositionFilename() attempt to resize
a buffer dynamically when they get full, but after being enlarged once
by a call to realloc(), a bug causes the code to never enlarge them again.
(These functions are in mpack/src/decode.c)

If a malicious person could cause someone to extract attachments from a
malformed message with munpack, security could be compromised.

I don't think mpack is a very popular software package these days, but
I have found it useful. A patch to decode.c follows this message which
fixes this problem.


Tim


--- decode.c.old	Tue Oct 23 16:14:53 2001
+++ decode.c	Tue Oct 23 16:16:22 2001
@@ -468,6 +468,7 @@
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
 		to = value + alloced - left - 2;
+		left = alloced - 1;
 	    }
 	    if (*from == '\\') {
 		from++;
@@ -484,6 +485,7 @@
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
 		to = value + alloced - left - 2;
+		left = alloced - 1;
 	    }
 	    *to++ = *from++;
 	}
@@ -573,6 +575,7 @@
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
 		to = value + alloced - left - 2;
+		left = alloced - 1;
 	    }
 	    if (*disposition == '\\') {
 		disposition++;
@@ -590,6 +593,7 @@
 		alloced += VALUEGROWSIZE;
 		value = xrealloc(value, alloced);
 		to = value + alloced - left - 2;
+		left = alloced - 1;
 	    }
 	    *to++ = *disposition++;
 	}

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message