[INN-COMMITTERS] STABLE-2_3 inn/innfeed (misc.c)

Forrest J. Cavalier III mibsoft at epix.net
Fri Jun 30 05:08:41 UTC 2000



> SECURITY: Possible stack overflow in innfeed caused by passing potential
> user data to syslog as the format parameter.

Not.

Unless I misunderstand totally, the only way there is a potential overflow
is if untrusted non-user-news data gets into the logged output.

I'd like someone to show me where that could happen.  I mean the
inndstart wrapper script had the July 1999 defect fix, and therefore
will read only a news-owned inn.conf, and innfeed.conf, right?

Remember there are many, many places in INN which could have buffer
overflows, due to unchecked maximum string lengths for file names 
etc. specified in configuration files, etc.  If startinnfeed can
be tricked into reading non-news owned config files, then I'd guess
there are other overflows lurking.

Again: unless the overflow happens with untrusted non-user-news data,
these are annoyances, not security defects.  

If annoyances like this bother you, you already ran away from INN
screaming long ago.  [And if you are Barry, you came back anyway.]

I don't mind that this one got fixed, but can we reserve all the
hype generated by mentioning the word "SECURITY" for actual
security defects, not every potential buffer overflow, stack
smash.

And somebody please check that startinnfeed/ReadInnConf cannot
be tricked into reading non-user news configuration files.  That
is really, really important.

Forrest





More information about the inn-workers mailing list