Debian Bug report logs -
#313306
mailx: Crashes when command line contains many digits
Reported by: metaur@telia.com
Date: Sun, 12 Jun 2005 23:33:04 UTC
Severity: normal
Tags: patch
Found in version 1:8.1.2-0.20040524cvs-4
Fixed in version mailx/1:8.1.2-0.20050715cvs-1
Done: Robert Luberda <robert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Robert Luberda <robert@debian.org>:
Bug#313306; Package mailx.
(full text, mbox, link).
Acknowledgement sent to metaur@telia.com:
New Bug report received and forwarded. Copy sent to Robert Luberda <robert@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Subject: mailx: Crashes when command line contains many digits
Package: mailx
Version: 1:8.1.2-0.20040524cvs-4
Severity: normal
Tags: patch
Hello,
mailx crashes when you give it a command line containing thousands of digits,
as shown in this example:
metaur@metaur:~/mailx-bug$ perl -e 'print "9"x2150, "\n";' | /usr/bin/mailx -f mailbox
Mail version 8.1.2 01/15/2001. Type ? for help.
"mailbox": 1 message
> 1 metaur@localhost. Sun May 29 01:52 18/592 hi
-1: Invalid message number
"Source" stack over-pop.
Segmentation fault
metaur@metaur:~/mailx-bug$
This crash is caused by a buffer overflow. I see no security implications of this bug,
since that part of the code deals with data from the user and not data from e-mail
messages and since it only copies digits anyway. It is still worth fixing to improve
quality and stability.
I have attached a patch and the mailbox I used in the example above (it should work
with any mailbox file, though).
// Ulf Harnhammar
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages mailx depends on:
ii base-files 3.1.2 Debian base system miscellaneous f
ii exim4 4.50-8 metapackage to ease exim MTA (v4)
ii exim4-daemon-light [mail-tr 4.50-8 lightweight exim MTA (v4) daemon
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii liblockfile1 1.06 NFS-safe locking library, includes
-- no debconf information
[mailx.digit_bufoflow.patch (text/plain, attachment)]
[mailbox (text/plain, attachment)]
Reply sent to Robert Luberda <robert@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to metaur@telia.com:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 313306-close@bugs.debian.org (full text, mbox, reply):
Source: mailx
Source-Version: 1:8.1.2-0.20050715cvs-1
We believe that the bug you reported is fixed in the latest version of
mailx, which is due to be installed in the Debian FTP archive:
mailx_8.1.2-0.20050715cvs-1.diff.gz
to pool/main/m/mailx/mailx_8.1.2-0.20050715cvs-1.diff.gz
mailx_8.1.2-0.20050715cvs-1.dsc
to pool/main/m/mailx/mailx_8.1.2-0.20050715cvs-1.dsc
mailx_8.1.2-0.20050715cvs-1_i386.deb
to pool/main/m/mailx/mailx_8.1.2-0.20050715cvs-1_i386.deb
mailx_8.1.2-0.20050715cvs.orig.tar.gz
to pool/main/m/mailx/mailx_8.1.2-0.20050715cvs.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 313306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated mailx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Jul 2005 00:28:33 +0200
Source: mailx
Binary: mailx
Architecture: source i386
Version: 1:8.1.2-0.20050715cvs-1
Distribution: unstable
Urgency: low
Maintainer: Robert Luberda <robert@debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
mailx - A simple mail user agent
Closes: 313306
Changes:
mailx (1:8.1.2-0.20050715cvs-1) unstable; urgency=low
.
* New upstream version from OpenBSD CVS repository:
+ fixed segfault in list.c (closes: #313306).
* Standard-Version: 3.6.2 (no changes).
Files:
248f2ec3d13a29ac1eedcb8eb4c2ab1f 633 mail important mailx_8.1.2-0.20050715cvs-1.dsc
3ba08abd8bbd0a87ea5bad05cded3bc3 94664 mail important mailx_8.1.2-0.20050715cvs.orig.tar.gz
38de40f8b082f4d592262c04275e2f30 36758 mail important mailx_8.1.2-0.20050715cvs-1.diff.gz
166fffae0e1ce008d92492dd17a7211a 155018 mail important mailx_8.1.2-0.20050715cvs-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC1uhbThh1cJ0wnDsRAgI9AJ94YIXGebhtaMYczzQpthe5iIq95QCfeRhT
MdqjB1Oq/ikQbwsuawfpPK8=
=oHus
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 11:18:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 13 16:16:33 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.