Tobias von Koch <tvk(_at_)WELTCHARTS(_dot_)DE> writes:
I think I've found a buffer overflow in procmail from Redhat 6.2 (v3.14
1999/11/22, others not tested).
...
First try this:
$ /usr/bin/procmail x=`perl -e "print 1x2053"`
<Ctrl>-D /* Procmail waits for mail */
procmail: Exceeded LINEBUF
Procmail recognizes that the line is a bit too long. alright.
But if you try something bigger than 2053...
$ /usr/bin/procmail x=`perl -e "print 1x2054"`
<Ctrl>-D
Segmentation fault
You can get root privileges (with some code) now....
Procmail drops its root privileges as soon as it sees the assignment on
the command line and before it performs the copy that overflows, so this
overflow cannot be used to get root privileges.
The unchecked copy was fixed in the beta version of procmail (v3.15pre)
on 2000/06/23.
Philip Guenther
Procmail Maintainer
bug(_at_)procmail(_dot_)org
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail