8529595 2002-05-31 15:39 +0200 /26 rader/ Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Sänt av: joel@lysator.liu.se Importerad: 2002-05-31 19:14 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <22469> Kommentar till text 8476734 av <bugzilla@redhat.com> Ärende: Re: [RHSA-2002:047-10] Updated fetchmail packages available ------------------------------------------------------------ From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> To: bugtraq@securityfocus.com Message-ID: <873cw8e8rm.fsf@CERT.Uni-Stuttgart.DE> bugzilla@redhat.com writes: > Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, > 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched > versions of fetchmail prior to 5.9.10. It appears that this vulnerability is caused by some alloca() implementations which do not return zero if the caller requests more memory than which is available. Red Hat's patch does not address the root of the problem by fixing alloca() (a problem which might be of more generic nature and could well be present in other software as well), but it bounds the requested memory by something which appears to be a rather arbitrary constant. -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 (8529595) /Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>/ Kommentar i text 8530133 av Nate Eldredge <neldredge@hmc.edu> 8530133 2002-05-31 13:27 -0700 /44 rader/ Nate Eldredge <neldredge@hmc.edu> Sänt av: joel@lysator.liu.se Importerad: 2002-05-31 22:51 av Brevbäraren Extern mottagare: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <22475> Kommentar till text 8529595 av Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Ärende: Re: [RHSA-2002:047-10] Updated fetchmail packages available ------------------------------------------------------------ From: Nate Eldredge <neldredge@hmc.edu> To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Cc: bugtraq@securityfocus.com Message-ID: <15607.56505.741190.160104@archdiocese.st.hmc.edu> Florian Weimer writes: > bugzilla@redhat.com writes: > > > Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, > > 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched > > versions of fetchmail prior to 5.9.10. > > It appears that this vulnerability is caused by some alloca() > implementations which do not return zero if the caller requests more > memory than which is available. This is hard to do. Since alloca memory is on the stack, you have to know where the bottom of the stack is. You can get the stack size from getrlimit(2), but now you need to know where the top is. On Linux at least, this is a compile-time kernel constant whose value depends on such things as the amount of memory in the machine. I'm not aware of any good way to query it. Furthermore, having to do a getrlimit(2) on each alloca call tends to defeat the purpose of alloca, which is mainly to be very fast. On many systems it's a single instruction. But if you throw in the system call, then you might as well call `malloc' instead. > Red Hat's patch does not address the root of the problem by fixing > alloca() (a problem which might be of more generic nature and could > well be present in other software as well), but it bounds the > requested memory by something which appears to be a rather arbitrary > constant. Is there more information about the vulnerability somewhere, or maybe an exploit? I see the bug, but I'm not sure I understand how it's exploitable, or how the given patch fixes it. -- Nate Eldredge neldredge@hmc.edu (8530133) /Nate Eldredge <neldredge@hmc.edu>/------- Kommentar i text 8530273 av Olaf Kirch <okir@caldera.de> 8530273 2002-05-31 23:16 +0200 /22 rader/ Olaf Kirch <okir@caldera.de> Sänt av: joel@lysator.liu.se Importerad: 2002-05-31 23:43 av Brevbäraren Extern mottagare: Nate Eldredge <neldredge@hmc.edu> Extern kopiemottagare: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <22477> Kommentar till text 8530133 av Nate Eldredge <neldredge@hmc.edu> Ärende: Re: [RHSA-2002:047-10] Updated fetchmail packages available ------------------------------------------------------------ From: Olaf Kirch <okir@caldera.de> To: Nate Eldredge <neldredge@hmc.edu> Cc: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, bugtraq@securityfocus.com Message-ID: <20020531231657.A15147@monad.caldera.de> On Fri, May 31, 2002 at 01:27:37PM -0700, Nate Eldredge wrote: > Linux at least, this is a compile-time kernel constant whose value > depends on such things as the amount of memory in the machine. I'm > not aware of any good way to query it. environ will usually point to some location near the top of the stack. setproctitle somehow finds the top stack page, too, but I don't recall how it does it. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@caldera.de | experienced what can best be described as ------------------+ ISO water torture. -- Peter Gutmann (8530273) /Olaf Kirch <okir@caldera.de>/------------