Two format string bugs from Ulf Härnhammar on 2004-12-02 (Hypermail Development List)

From: Ulf Härnhammar <Ulf.Harnhammar.9485_at_student.uu.se_at_hypermail-project.org>
Date: Thu, 2 Dec 2004 23:50:12 +0100
Message-ID: <1102027812.41af9c24ba42e_at_webmail.uu.se>

Hello,

I have found two format string bugs in Hypermail. They could cause crashes if using incremental mode on edited pre-existing archives with data like "%n%n%n%n%n%n%n%n" in certain lines. (OK, that is unlikely to happen very often in real life, but the program shouldn't crash anyway.) Here's a session capture that shows this problem:

$ tar zxvf ~/metaur.tar.gz

metaur/
metaur/0000.html
metaur/0001.html
metaur/0002.html
metaur/date.html
metaur/index.html
metaur/subject.html
metaur/author.html
metaur/attachment.html

$ ./hypermail -o increment=1 -m ~/metaur WARNING: locale "en_US", not supported.
Segmentation fault
$

(The files metaur and metaur.tar.gz have been attached.)

The bugs are caused by using data from an archive as the format string in fprintf() calls, instead of using "%s" as the format string and the data as parameters.

The bugs have been verified in Hypermail 2.2.0, Hypermail 2.1.8 (as distributed by Debian GNU/Linux) and the latest CVS version.

I have attached a patch against 2.2.0 that fixes both bugs.

// Ulf Harnhammar

http://www.advogato.org/person/metaur/

text/html attachment: hypermail.formstring.patch

text/plain attachment: metaur

application/x-gzip-compressed attachment: metaur.tar.gz

Received on Fri 03 Dec 2004 06:54:21 AM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:12 AM GMT GMT