[Mimedefang] SECURITY: Flaw in MIMEDefang <= 2.50

[David F. Skoll]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, all.

I've discovered a bug in MIMEDefang versions up to 2.50.  (2.51 is
fixed.)  The bug is a theoretical vulnerability only; I don't believe
it's exploitable.  Nevertheless, I suggest upgrading to 2.51 just to
be prudent.

A full description of the flaw follows.

Regards,

David.

MIMEDefang Flaw Description
===========================

In versions of MIMEDefang prior to 2.51, the "percent_encode" function
in mimedefang.c had an error.  An attacker could cause a single zero
byte to be written up to 8kB beyond an allocated buffer.  Note that
this isn't a classic buffer overflow in which the attacker can write
arbitrary data; instead, only a single zero byte can be written at
an even memory address up to 8kB beyond the buffer.

In order to carry out this attack, the attacker must be able to force
a sender or recipient address into MIMEDefang that is longer than
approximately 4kB.  Since Sendmail rejects e-mail addresses longer
than about 2kB, we do not believe it's possible to actually exploit
this flaw via an SMTP session.  Furthermore, default permissions on
the MIMEDefang socket should prevent a local attack, since the default
permissions do not permit normal local users to connect to MIMEDefang.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFCC6T0wYQuKhJvQuARAlm4AKCohmflo6Z/+7VVoPlCtJOn1KJQMQCfRyLc
seTEr/FFbNu2vVA4uCY15V8=
=oGb8
-----END PGP SIGNATURE-----