I believe that the sample quick fix has a bug/typo. The intent (I think) is
to use snprintf() and vsnprintf(), but the patch changes the sprintf's
to snprintf calling conventions (length bound as second argument) while
keeping the name as sprintf. That presumably has awful results as
sprintf treats MAXLINELEN - 100 as a format string.
By the way, Nessus 0.91.1 identifies the vulnerability. I ran into
this problem late last Friday and alerted the qpopper maintainers.
--Elgin
On Tue, Nov 30, 1999 at 01:53:11AM +0100, Mixter wrote:
> # apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch
> --- pop_msg.c.old Mon Nov 29 23:42:03 1999
> +++ pop_msg.c Mon Nov 29 23:52:08 1999
> @@ -65,7 +65,7 @@
> /* Append the message (formatted, if necessary) */
> if (format) {
> #ifdef HAVE_VPRINTF
> - vsprintf(mp,format,ap);
> + vsnprintf(mp,MAXLINELEN - 100, format,ap);
> #else
> # ifdef PYRAMID
> arg1 = va_arg(ap, char *);
> @@ -74,9 +74,9 @@
> arg4 = va_arg(ap, char *);
> arg5 = va_arg(ap, char *);
> arg6 = va_arg(ap, char *);
> - (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
> + (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5,
>arg6);
> # else
> - (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
> + (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int
>*)ap)[1],((int *)ap)[2],
> ((int *)ap)[3],((int *)ap)[4]);
> # endif
> #endif
