An overflow exists in the socket_getline() function. This function reads a string from the socket into a given array and is used by the nntp_get_response function. The problem code is: while (TRUE) { retval = read(sockfd, pi, 1); if(retval < 0) ui_socket_error(errno); read_count += retval; pi++; if (buffer[i] == '\n') break; i++; } The pi array is the buffer and data is read into it until a '\n' is received. So to overflow the buffer one has to provide a long string without newline characters. Testing the overflow: --------------------- Create a server: perl -e 'print "A" x 1024;print "BBBBCCCCDDDDEEEE"'| nc -v -l -p 119 Connect to it: newspost -s test -i localhost -f me@me.nl -n news.news /etc/hosts Break the connection by ^C'ing the netcat and you will see that newspost segfaults immediately. Fix for the problem: -------------------- A rather simple fix would be to apply the patch below. It does the job because all buffers handed to the socket_getline function are STRING_BUFSIZE big. --- base/socket.c.orig Tue Jan 18 11:08:02 2005 +++ base/socket.c Tue Jan 18 11:10:08 2005 @@ -126,7 +126,7 @@ i = 0; pi = buffer; - while (TRUE) { + while (read_count < STRING_BUFSIZE - 1) { retval = read(sockfd, pi, 1); if(retval < 0) ui_socket_error(errno);
Upstream has been notified of disclosure date.
net-news please provide an updated ebuild. Upstream has apparently not released a fixed version.
net-nntp/newspost-2.0-r1 net-nntp/newspost-2.1.1-r1 with the patch in CVS and stable on x86. 2.0 is still needed because net-nntp/gnewspost depends on it.
GLSA 200502-05, thanks everyone!
