Last Comment Bug 229374 - more to do for bug #157644...
: more to do for bug #157644...
Status: RESOLVED FIXED
fixed-aviary1.0, [sg:fix]
: fixed1.4.3, fixed1.7
Product: MailNews Core
Classification: Components
Component: Networking: POP (show other bugs)
: Trunk
: x86 Windows 2000
: -- normal (vote)
: mozilla1.7final
Assigned To: David :Bienvenu
: esther
Mentors:
Depends on: 157644
Blocks: 245066
  Show dependency treegraph
 
Reported: 2003-12-24 21:45 PST by (not reading, please use seth@sspitzer.org instead)
Modified: 2009-01-22 10:17 PST (History)
8 users (show)
chofmann: blocking1.7+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
proposed fix (1.10 KB, patch)
2004-05-19 17:48 PDT, David :Bienvenu
sspitzer: review+
mscott: superreview+
caillon: approval1.4.3+
sspitzer: approval1.7+
Details | Diff | Review

Description (not reading, please use seth@sspitzer.org instead) 2003-12-24 21:45:45 PST
more to do for bug #157644...

dan got email from zen-parse@gmx.net, pointing out that the fix for #157644
plugged one security hole, but not them all.

from the reporter:

the correct fix is to limit the number of messages to (MAXINT(sizeof(Pop3MsgInfo))

if an evil server sends a larger number of messages, we'll only allocate space
for 50k.  but if part way through the list, if the server introduces a message
that is < than the max but > 50k, we'll allocate more space.

SendUidl() doesn't bounds check on the 50k message limit.

the patch in bug #157644 assumes that message numbers are sequential.

I've got the complete email from zen-parse.
Comment 1 (not reading, please use seth@sspitzer.org instead) 2003-12-24 21:47:18 PST
giving zen-parse (neuro@es.co.nz) access to this new bug.
Comment 2 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2004-02-11 13:09:27 PST
As far as I can tell, this is our only open bug which would allow a remote
server to take control of a Mozilla session. 'twould be nice if we could fix it :-)
Comment 3 chris hofmann 2004-05-19 14:32:01 PDT
putting on the 1.7 radar to see if we can get a patch.
Comment 4 David :Bienvenu 2004-05-19 17:48:11 PDT
Created attachment 148899 [details] [diff] [review]
proposed fix
Comment 5 David :Bienvenu 2004-05-19 17:50:03 PDT
Comment on attachment 148899 [details] [diff] [review]
proposed fix

this was the fix I proposed all along...
Comment 6 (not reading, please use seth@sspitzer.org instead) 2004-05-19 19:46:09 PDT
Comment on attachment 148899 [details] [diff] [review]
proposed fix

r/a=sspitzer

I'm not sure why we just didn't do what david suggested.

david, should we back out http://bugzilla.mozilla.org/show_bug.cgi?id=157644
Comment 7 David :Bienvenu 2004-05-19 20:02:05 PDT
yes, we should back it out, just to remove the unneeded code and simplify it.
Comment 8 Daniel Veditz [:dveditz] 2004-05-26 15:01:19 PDT
Fix got approvals on 5/19, is it checked in?
Comment 9 Scott MacGregor 2004-05-26 15:50:06 PDT
I think your patch is short a parentheses :)
Comment 10 David :Bienvenu 2004-05-26 17:24:58 PDT
fixed on branch, with added parenthesis
Comment 11 David :Bienvenu 2004-05-26 17:37:39 PDT
or not - new cvsisn't working for this tree...
Comment 12 chris hofmann 2004-05-27 07:12:04 PDT
cleaning up 1.7 bug lists -- is this bug ready to be marked fixed?
Comment 13 (not reading, please use seth@sspitzer.org instead) 2004-05-29 17:04:53 PDT
over to david who has the fix and is going to land on trunk (he already landed
on the branch).

I'll log a bug about backing out bug #157644.

note, if we need to test this we can use servterm
http://www.snapfiles.com/get/servterm.html to emulate an evil pop server.
Comment 14 David :Bienvenu 2004-05-29 17:08:59 PDT
fixed on trunk.
Comment 15 (not reading, please use seth@sspitzer.org instead) 2004-05-29 17:27:25 PDT
backing out the fix for bug #157644 is covered by bug #245066
Comment 16 Daniel Veditz [:dveditz] 2004-06-17 13:36:39 PDT
Adding Jon Granrose to CC list to help round up QA resources for verification
Comment 17 Jon Granrose 2004-06-18 09:29:55 PDT
adding karen to verify on the 1.7 branch
Comment 18 Christopher Aillon (sabbatical, not receiving bugmail) 2004-07-12 17:19:17 PDT
Comment on attachment 148899 [details] [diff] [review]
proposed fix

a=blizzard for 1.4.3
Comment 19 Christopher Aillon (sabbatical, not receiving bugmail) 2004-07-12 17:22:33 PDT
And checked in.
Comment 20 Daniel Veditz [:dveditz] 2004-07-22 02:33:51 PDT
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Comment 21 Karen Huang 2004-07-22 10:43:15 PDT
Since David mentioned that this bug need to be verified in the debugger, by
tweaking some values at runtime...
I had requested Seth to help for verifying this bug for 1.7....
Comment 22 Mark Cox 2004-08-03 00:45:32 PDT
Note: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0757 to this issue.

Note You need to log in before you can comment on or make changes to this bug.