Qmail integer overflow in 1.03/1.04

Everyone running Qmail,

Georgi Guninski <guninski(_at_)guninski(_dot_)com> today (January 15, 2004)
published proof of an integer overflow in qmail-smtpd which leads to a
crash (and memory overwrite according to gdb).

Attached to this message is a patch against qmail-smtpd.c v1.03.  The
overflow essentially consists of an unchecked integer which is allowed
to under certain circumstances increment above its 32bit limit which
results it in becoming negative thereby resulting in a segfault.

James Craig Burley <craig(_at_)jcb-sc(_dot_)com>'s patch is attached to this
message, and is also available for download from libspf.org.  I have
tested this patch against the published exploit code and its solid.

http://libspf.org/files/qmail-1.03.integer.overflow.patch

Cheers,

James

-- 
James Couzens,
Programmer

obscurity.org
libspf.org

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§ÅvÂ¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com

qmail-1.03.integer.overflow.patch
Description: Text Data

signature.asc
Description: This is a digitally signed message part

Previous by Date:	RE: Oh, and..., Dustin D. Trammell
Next by Date:	Re: proposed PGP mechanism for SPF, Greg Wooledge
Previous by Thread:	Re: proposed PGP mechanism for SPF, Brian Hatch
Next by Thread:	Re: Qmail integer overflow in 1.03/1.04 - PATCH RELEASED, guillaume
Indexes:	[Date] [Thread] [Top] [All Lists]

Qmail integer overflow in 1.03/1.04 - PATCH RELEASED