181324 2007-06-08 16:50 0000 mail-filter/policyd < 1.81 heap based buffer overflow in w_read() (CVE-2007-3791) 2007-07-30 04:19:01 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED ~1? [noglsa] P2 normal --- 1 falco@gentoo.org security@gentoo.org net-mail@gentoo.org strerror@gentoo.org falco@gentoo.org 2007-06-08 16:50:42 0000 policyd.h defines: char buf[MAXFDS][MAXLINE]; policyd.c calls: rres = w_read(sockfd,buf[sockfd]); in sockets.c, w_read begins with: ssize_t w_read(unsigned int fd, char *ptr) { ssize_t n; size_t data_read = 0; /* for debug only */ /* receive data. disable signals are do not wait */ while ((n = recv(fd, (void *) ptr + buf_counter[fd], 1, MSG_DONTWAIT | MSG_NOSIGNAL)) == 1) ... unfortunately the while() loop can go further than the allocated size of *ptr. (by entering overly long SMTP commands, >1024 bytes). This loop needs to be changed like this, for example: ssize_t w_read(unsigned int fd, char *ptr, unsigned int w_size) while(( n = (....)) && buf_counter[fd] < w_size ){...} you also may want to properly set buf[sockfd][MAXSIZE-1] = '\n'; , that can't hurt. with a lot of connections, buf_counter[MAXFDS-1][] will be overflowed and the next variables that reside in .bss will be overwritten. This can potentialy be used to overwrite random stuff in the heap, and maybe terminate the daemon or remotely execute arbitrary code. falco@gentoo.org 2007-06-08 16:51:33 0000 upstream mailed py@gentoo.org 2007-07-29 21:52:40 0000 This is public now. strerror, please provide the updated ebuild. strerror@gentoo.org 2007-07-30 00:58:45 0000 apologies on the delay, in cvs now