Ooops. mutt used a sender address that is not subscribed.
----- Forwarded message from debian-audit-owner_at_shellcode.org -----
From: Max Vozeler <xam_at_debian.org>
To: Ulf Harnhammar <metaur_at_operamail.com>
Cc: Justin Pryzby <justinpryzby_at_users.sourceforge.net>,
352482_at_bugs.debian.org, debian-audit_at_shellcode.org
Subject: Re: [Debian-audit] Re: Bug#352482: metamail: crashes with very long
boundaries in messages
Date: Mon, 13 Feb 2006 13:46:42 +0100
On Mon, Feb 13, 2006 at 12:45:46PM +0100, Ulf Harnhammar wrote:
> > How is this not [potentially] exploitable?
>
> Well, because of the error message that it prints, and because of
> the way things look in gdb (if I remember correctly, it crashes in
> strtok() or some similar function). I've been taught that this
> signifies not being exploitable, but I may be wrong.
In my quick test with 2.7-50 from sid, it's the safety checks
in _int_free() that abort the process.
> What do the others in the Debian Security Audit Project think about
> this?
| From: <metaur_at_localhost>
| To: <metaur_at_localhost>
| Subject: metamail crash bug
|
| *** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
| Aborted
| metaur_at_metaur:~$
This may in fact be exploitable. The error indicates that a
malloc chunk header has been corrupted. Depending on the exact
circumstances - the version of glibc and the order of memory
allocations/frees in metamail - this may (or may not) be possible
to use for writing to arbitrary memory locations. Without having
looked at it in detail, I would consider this bug exploitable
unless it's proven not to be.
cheers,
Max
----- End forwarded message -----
Received on Mon Feb 13 2006 - 12:50:26 GMT