Path: utzoo!mnetor!uunet!epiwrl!epimass!jbuck
From: jbuck@epimass.EPI.COM (Joe Buck)
Newsgroups: news.software.b
Subject: Bug found! (was: Strange Core Dumps)
Message-ID: <1729@epimass.EPI.COM>
Date: 13 Dec 87 23:29:22 GMT
References: <2122@crash.cts.com> <7961@princeton.Princeton.EDU> <3618@hoptoad.uucp>
Reply-To: jbuck@epimass.EPI.COM (Joe Buck)
Organization: Entropic Processing, Inc., Cupertino, CA
Lines: 37
Summary: Message-IDs with a % character may be fatal to inews

In article <3618@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes:
>pep@princeton.Princeton.EDU (Pat Parseghian) wrote:
>> - The offending articles are the only ones in my history file with a "%" in a
>>   Message-ID.
>> - One of the articles () has a References line
>>   that is not a valid Message-ID (to the best of my understanding).
>
>It occurs to me that if somehow a string like this was passed to "printf"
>or maybe "scanf", the big number after the % might cause havoc, like an
>attempt to malloc() a large amount of memory.

With John's posting as a clue, I looked for unprotected printf
calls, and I believe I've found it.  In the broadcast function in
file ifuncs.c, there appears the call

	log (sentbuf);

"sentbuf" is a string formed by strcat calls; the result is a line in
your /usr/lib/news/log file like

Dec 13 13:08	ucat	<2224@dasys1.UUCP> sent to epiwrl, frs, csi

The first argument to "log" is a printf format string.  It contains
the message-ID.  So any message-ID with a % is potentially fatal to
inews.

Solution: change this call, and any others, to never give a first
argument to log or logerr unless it's certain there's no % in it.

Meanwhile, it might be a good idea for those people whose message
IDs contain a % to change them, since it'll take a while to get this
bug fixed everywhere.  This is even though it's a perfectly legal
Mesage-ID according to the standard.

-- 
- Joe Buck  {uunet,ucbvax,sun,decwrl,}!epimass.epi.com!jbuck
	    Old internet mailers: jbuck%epimass.epi.com@uunet.uu.net