Re: [leafnode-list] Is leafnode vulnerable to buffer overflows ?

[Matthias Andree <ma@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>]

Malte Gell <malte_gell@xxxxxx> writes:

> Hello,
>
> I'm (still) using 1.9.25rel and just had a warning message that a 
> message just received from the upstream server contained illegal 
> headers, it seems this message was deleted by leafnode, it's not in 
> /var/spool/news/... and so I can't tell the message-it, it came from 
> de.comp.os.unix.apps.kde
>
> This event just lead me to the question, whether leafnode in general or 
> version 1.9.25rel could ever be attacked by a message with badly 
> malformed headers to execute remote commands ?

I believe the risk is low.

I'm not aware of any in 1.9.30.devel4 and did not fix such bugs
recently; usually, leafnode will not work with static buffers without
checking the length; particularly, data read from the network or from
files is read into a dynamically allocated buffer.

OTOH, I did not write all of leafnode's code, and I may have missed a
problem, but I used rats/flawfinder and I made many changes to get rid
of fixed-size buffers though.

Remember that there is no guarantee.

Even if a problem were found, and if this problem could actually be
exploited to mount a stack smashing attack, leafnode would only run as
user "news" to limit the impact of that.

Usually, "illegal headers" is a hint to a missing required header, a
posting which no server should have passed on in the first place. A
debug log (see README) of leafnode 1.9.29 or 1.9.30.devel4 would tell
you more.

-- 
Matthias Andree
leafnode-1 download: http://sourceforge.net/projects/leafnode/
leafnode-1 docs/new: http://mandree.home.pages.de/leafnode/
leafnode-2 homepage: http://mandree.home.pages.de/leafnode/beta/

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list