Path: utzoo!mnetor!uunet!epiwrl!epimass!jbuck
From: jbuck@epimass.EPI.COM (Joe Buck)
Newsgroups: news.software.b
Subject: Bug found! (was: Strange Core Dumps)
Message-ID: <1729@epimass.EPI.COM>
Date: 13 Dec 87 23:29:22 GMT
References: <2122@crash.cts.com> <7961@princeton.Princeton.EDU> <3618@hoptoad.uucp>
Reply-To: jbuck@epimass.EPI.COM (Joe Buck)
Organization: Entropic Processing, Inc., Cupertino, CA
Lines: 37
Summary: Message-IDs with a % character may be fatal to inews
In article <3618@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes:
>pep@princeton.Princeton.EDU (Pat Parseghian) wrote:
>> - The offending articles are the only ones in my history file with a "%" in a
>> Message-ID.
>> - One of the articles () has a References line
>> that is not a valid Message-ID (to the best of my understanding).
>
>It occurs to me that if somehow a string like this was passed to "printf"
>or maybe "scanf", the big number after the % might cause havoc, like an
>attempt to malloc() a large amount of memory.
With John's posting as a clue, I looked for unprotected printf
calls, and I believe I've found it. In the broadcast function in
file ifuncs.c, there appears the call
log (sentbuf);
"sentbuf" is a string formed by strcat calls; the result is a line in
your /usr/lib/news/log file like
Dec 13 13:08 ucat <2224@dasys1.UUCP> sent to epiwrl, frs, csi
The first argument to "log" is a printf format string. It contains
the message-ID. So any message-ID with a % is potentially fatal to
inews.
Solution: change this call, and any others, to never give a first
argument to log or logerr unless it's certain there's no % in it.
Meanwhile, it might be a good idea for those people whose message
IDs contain a % to change them, since it'll take a while to get this
bug fixed everywhere. This is even though it's a perfectly legal
Mesage-ID according to the standard.
--
- Joe Buck {uunet,ucbvax,sun,decwrl,}!epimass.epi.com!jbuck
Old internet mailers: jbuck%epimass.epi.com@uunet.uu.net