procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

procmail in security audit

1999-02-20 17:47:31
from [Antonomasia] [Permanent Link] 


[procmail list readers can find an introduction and FAQ for the linux
 security audit project at
          http://www-jcr.lmh.ox.ac.uk./~security ]


Observations have been confirmed with
ftp.informatik.rwth-aachen.de:/pub/packages/procmail/procmail-3.11pre7


These look like opportunities for death by transient error.
formail.c (getsender):   saddr = strcpy (malloc (strlen (saddr) + 1), saddr);
misc.c (setlastfolder):  strcpy (chp = malloc (STRLEN (lastfolder) + 1 +.....


exopen.c (hlink): if (stbuf.st_nlink != 2) {
Link count is tested after a failed link() call, without having inspected
the prior link count.



If "boxname" is empty prior to this I suspect a fault here.  The code is
convoluted enough that I cannot tell whether execution reaches this point
with "boxname" empty.
mailfold.c (deliver): 
    if(mhdir)             /* buf should contain directory name */
     *chp = '\0', chp[-1] = *MCDIRSEP_, strcpy (buf2, buf);



I had such a hard time checking correct bounds were used
in string operations that many of these remain uncertain.
Has anyone considered writing specs for the functions,
macros and global variables that would allow an independently
coded version ?  This could be major gain in assurance and
maintainability.





Smiles for:

This has been corrected recently in exopen.c (hlink).
RH procmail-3.10-12
        i = lstat (old, &stbuf);
        SETerrno (serrno);
        if (i && S_ISLNK (stbuf.st_mode))   /* no stat or symbolic link? */
becomes
        if (i || S_ISLNK (stbuf.st_mode))   /* no stat or symbolic link? */

Usage of nice() return code is correct, contrary to documentation in glib.
(Separate mail coming on this soon.)

I was unable to reproduce the crash with 
   > On Fri, 19 Feb 1999, Nic Bellamy wrote:
   > > $ gdb procmail
   > > (gdb) run `perl -e 'print "A"x8192'`
   > > ^D
   > > Program received signal SIGSEGV, Segmentation fault.
   > > 0x400661dd in malloc ()
is there a version number to go with this ?

--
##############################################################
# Antonomasia   ant(_at_)notatla(_dot_)demon(_dot_)co(_dot_)uk                  
    #
# See http://www.notatla.demon.co.uk/                        #
##############################################################
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: aol spam - forgeries?, Liviu Daia
Next by Date:  Re: procmail in security audit, Philip Guenther
Previous by Thread:  aol spam - forgeries?, Jerry Preeper
Next by Thread:  Re: procmail in security audit, Philip Guenther
Indexes:  [Date] [Thread] [Top] [All Lists]