[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:33268] Bug#JP/1565: mnews: local and remote overflow vulnerabilities

From: Tatsuya Kinoshita <tats@xxxxxxxxxx>
Subject: [debian-users:33268] Bug#JP/1565: mnews: local and remote overflow vulnerabilities
Date: Wed, 5 Jun 2002 19:48:02 +0900
Resent-cc: Taku YASUI <tach@debian.or.jp>
Resent-date: Wed, 05 Jun 2002 10:48:01 GMT
Resent-from: Tatsuya Kinoshita <tats@xxxxxxxxxx>
Resent-message-id: <debbugs-jp.1565.B.10232735444433@bugs.debian.or.jp>
Resent-sender: owner@bugs.debian.or.jp
Resent-to: debian-users@debian.or.jp
X-debian-jp-keywords:
X-debian-jp-message: report 1565
X-debian-jp-package: mnews
X-loop: owner@bugs.debian.or.jp
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
X-ml-name: debian-users
X-mlserver: fml [fml 3.0pl#17]; post only (anyone can post)
Message-id: <20020605.193614.38395157.05@xxxxxxxxxxxxxxx>
X-mail-count: 33268
X-mailer: Mew version 3.0.55 on Emacs 20.7 / Mule 4.0 (HANANOEN)

Package: mnews
Version: 1.22PL4-2
Severity: critical

I saw the patch that fixes a security problem of FreeBSD's mnews:

  [ports-jp 12931] security fix: mnews
  http://home.jp.FreeBSD.org/cgi-bin/showmail/ports-jp/12931

Maybe woody-jp's mnews has the same problem.

In message [ports-jp 12931], on Tue, 4 Jun 2002,
Yoshihiko SARUMARU wrote:

| > I found security adovisory for mnews on bugtraq ML today.
| > I made a patch for this security problem and sent to author,
| > takuma-san about 10 hours before (but I have no answer from him
| > yet).

| > security adovisory:
| > http://archives.neohapsis.com/archives/bugtraq/2002-05/0287.html
| > 
| > exploit code:
| > http://archives.neohapsis.com/archives/bugtraq/2002-05/0296.html
| > 
| > --- tcplib/tcplib.c.orig	Fri Dec 17 02:27:36 1999
| > +++ tcplib/tcplib.c	Mon Jun  3 17:31:01 2002
| > @@ -498,7 +498,7 @@
| >    }
| >    buf[cnt] = '\0';
| >    fp->ptr = ptr;
| > -  fp->len = len;
| > +  fp->len = cnt;
| >    return(cnt);
| >  }
| >  #endif	/* !MSDOS */

In message http://archives.neohapsis.com/archives/bugtraq/2002-05/0287.html
on Fri, 31 May 2002, zillion wrote:

| Strategic Reconnaissance Team Security Advisory (SRT2002-04-31-1159)
| 
| Topic : Mnews local and remote overflow vulnerabilities
| Date : May 31, 2002
| Credit : zillion[at]safemode.org
| Site : http://www.snosoft.com

| .: Description:
| ---------------
| 
|  Mnews is a small console based email and news client which is often
|  installed setgid mail. Several local and remote overflows have been
|  identified in this package.
| 
|  Local overflows where found in the -f, -n, -D, -M, -P parameters and
|  in the JNAMES, MAILSERVER environment variables. The remote overflow
|  resides in the code responsible for processing responses received from
|  the NNTP server. For example the following response will result in an
|  overflow:
| 
|  200 <a x 770>
| 
|  If you look at the source code of mnews you will see that this package
|  is very outdated and dangerous to use on todays Internet.
| 
| .: Impact:
| ----------
| 
|  Local users might be able to elevate their privileges on the affected
|  systems. Remote malicious server owners can use mnews to penetrate an
|  affected system.
| 
|  We strongly recommend to stop using mnews.
| 
| .: Systems Affected:
| --------------------
| 
|  Systems running the mnews package version 1.22 are affected. It is
|  very likely that older versions are also affected.

-- 
Tatsuya Kinoshita

Follow-Ups:
- [debian-users:33277] Bug#JP/1565: mnews: local and remote overflow vulnerabilities
  - From: Taku YASUI

Prev by Date: [debian-users:33267] How to disable suexec of Apache ?
Next by Date: [debian-users:33269] Re: ノート PC の dist-upgrade
Previous by thread: [debian-users:33273] [summary] How to disable suexec of Apache
Next by thread: [debian-users:33277] Bug#JP/1565: mnews: local and remote overflow vulnerabilities
Index(es):
- Date
- Thread