The following message is of primary interest to software developers using
the UW c-client library. It is NOT a concern to non-programmers or sites
who use UW imapd or ipop3d.
Today's imap-2005 development tarball introduces a major rewrite of the
RFC822 message writing routines in rfc822.c. The old, vulnerable to
buffer overflow, routines:
rfc822_output()
rfc822_header()
rfc822_header_line()
rfc822_address_line()
rfc822_write_address_full() and rfc822_write_address()
rfc822_address()
rfc822_cat()
rfc822_write_body_header()
rfc822_output_body()
have been replaced with new routines:
rfc822_output_full()
rfc822_output_header()
rfc822_output_header_line()
rfc822_output_address_line()
rfc822_output_address_list()
rfc822_output_address()
rfc822_output_cat()
rfc822_output_body_header()
rfc822_output_text()
The old interfaces continue to exist as before, so all existing programs
will continue to work; however these interfaces are now considered to be
legacy and their use is now discouraged.
In addition, as long as the buffer provided to the old interfaces is at
least 16K, they will now fatal() out rather than buffer overflow. Note
that in the case of such strcat()-like routines as rfc822_address() or
rfc822_cat(), that is 16K of free space and *not* 16K of buffer, so it may
still be possible to buffer overflow with the old interfaces.
The new interfaces do not have buffer overflow issues. When the buffer is
filled, they call a routine to output and empty the buffer, and then
resume.
This is an issue for client programs that may use these routines. Pine
generally doesn't use these routines because of the buffer overflow
issues, but apparently some other applications such as PHP do.
The c-client routines smtp_mail() and nntp_mail() have already been
updated to use the new rfc822_output_full() routine instead of the old
rfc822_output() routine. This affects client programs which send mail or
post news using these routines.
Note that this is NOT a UW imapd security issue. UW imapd does not use
any of the routines.
The new interfaces are still subject to change. If you are a software
developer who uses the c-client library and these routines, now is the
time to review these new functions and see if your application can use
them.
If your application does not call any of the legacy functions, then it may
be that the only difference is that it's no longer likely to experience a
buffer overflow when sending a message with a very large to-list.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
