Closed Bug 229374 Opened 21 years ago Closed 20 years ago

more to do for bug #157644...

Categories

(MailNews Core :: Networking: POP, defect)

Product:
MailNews Core
Component:
Networking: POP
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.7final

People

(Reporter: sspitzer, Assigned: Bienvenu)

References

Details

(Keywords: fixed1.4.3, fixed1.7, Whiteboard: fixed-aviary1.0, [sg:fix])

Attachments

(1 file)

proposed fix
1.10 KB, patch
sspitzer
: review+
mscott
: superreview+
caillon
: approval1.4.3+
sspitzer
: approval1.7+
Details | Diff | Splinter Review 
more to do for bug #157644...

dan got email from zen-parse@gmx.net, pointing out that the fix for #157644
plugged one security hole, but not them all.

from the reporter:

the correct fix is to limit the number of messages to (MAXINT(sizeof(Pop3MsgInfo))

if an evil server sends a larger number of messages, we'll only allocate space
for 50k.  but if part way through the list, if the server introduces a message
that is < than the max but > 50k, we'll allocate more space.

SendUidl() doesn't bounds check on the 50k message limit.

the patch in bug #157644 assumes that message numbers are sequential.

I've got the complete email from zen-parse.
giving zen-parse (neuro@es.co.nz) access to this new bug.
As far as I can tell, this is our only open bug which would allow a remote
server to take control of a Mozilla session. 'twould be nice if we could fix it :-)
putting on the 1.7 radar to see if we can get a patch.
Flags: blocking1.7+
Attached patch proposed fixSplinter Review 

    
    

    
  
Comment on attachment 148899 [details] [diff] [review]
proposed fix

this was the fix I proposed all along...

        Attachment #148899 -
        Flags: superreview?(mscott)

        Attachment #148899 -
        Flags: review?(sspitzer)

    
  

        Attachment #148899 -
        Flags: superreview?(mscott) → superreview+

    
    

    
  
Comment on attachment 148899 [details] [diff] [review]
proposed fix

r/a=sspitzer

I'm not sure why we just didn't do what david suggested.

david, should we back out http://bugzilla.mozilla.org/show_bug.cgi?id=157644

        Attachment #148899 -
        Flags: review?(sspitzer)

        Attachment #148899 -
        Flags: review+

        Attachment #148899 -
        Flags: approval1.7+

    
    

    
  
yes, we should back it out, just to remove the unneeded code and simplify it.

    
    

    
  
Fix got approvals on 5/19, is it checked in?
Whiteboard: [sg:fix]

    
    

    
  
I think your patch is short a parentheses :)

    
  
Whiteboard: [sg:fix] → fixed-aviary1.0, [sg:fix]

    
    

    
  
fixed on branch, with added parenthesis
Keywords: fixed1.7

    
    

    
  
or not - new cvsisn't working for this tree...
Keywords: fixed1.7

    
    

    
  
cleaning up 1.7 bug lists -- is this bug ready to be marked fixed?

    
  
Keywords: fixed1.7

    
    

    
  
over to david who has the fix and is going to land on trunk (he already landed
on the branch).

I'll log a bug about backing out bug #157644.

note, if we need to test this we can use servterm
http://www.snapfiles.com/get/servterm.html to emulate an evil pop server.
Assignee: sspitzer → bienvenu

    
    

    
  
fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
    

    
  
backing out the fix for bug #157644 is covered by bug #245066
Target Milestone: --- → mozilla1.7final

    
    

    
  
Adding Jon Granrose to CC list to help round up QA resources for verification

    
    

    
  
adding karen to verify on the 1.7 branch

    
    

    
  
Comment on attachment 148899 [details] [diff] [review]
proposed fix

a=blizzard for 1.4.3

        Attachment #148899 -
        Flags: approval1.4.3+

    
    

    
  
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security

    
    

    
  
Since David mentioned that this bug need to be verified in the debugger, by
tweaking some values at runtime...
I had requested Seth to help for verifying this bug for 1.7....

    
    

    
  
Note: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0757 to this issue.
Product: MailNews → Core
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: