Note: There are a few cases of duplicates in user autocompletion which are being worked on.

more to do for bug #157644...

RESOLVED FIXED in mozilla1.7final

Status

MailNews Core
Networking: POP
RESOLVED FIXED
14 years ago
9 years ago

People

(Reporter: (not reading, please use seth@sspitzer.org instead), Assigned: Bienvenu)

Tracking

({fixed1.4.3, fixed1.7})

Trunk
mozilla1.7final
x86
Windows 2000
fixed1.4.3, fixed1.7
Dependency tree / graph
Bug Flags:
blocking1.7 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-aviary1.0, [sg:fix])

Attachments

(1 attachment)

1.10 KB, patch
(not reading, please use seth@sspitzer.org instead)
: review+
Scott MacGregor
: superreview+
Christopher Aillon (sabbatical, not receiving bugmail)
: approval1.4.3+
(not reading, please use seth@sspitzer.org instead)
: approval1.7+
Details | Diff | Splinter Review
more to do for bug #157644...

dan got email from zen-parse@gmx.net, pointing out that the fix for #157644
plugged one security hole, but not them all.

from the reporter:

the correct fix is to limit the number of messages to (MAXINT(sizeof(Pop3MsgInfo))

if an evil server sends a larger number of messages, we'll only allocate space
for 50k.  but if part way through the list, if the server introduces a message
that is < than the max but > 50k, we'll allocate more space.

SendUidl() doesn't bounds check on the 50k message limit.

the patch in bug #157644 assumes that message numbers are sequential.

I've got the complete email from zen-parse.
giving zen-parse (neuro@es.co.nz) access to this new bug.
As far as I can tell, this is our only open bug which would allow a remote
server to take control of a Mozilla session. 'twould be nice if we could fix it :-)

Comment 3

13 years ago
putting on the 1.7 radar to see if we can get a patch.
Flags: blocking1.7+
(Assignee)

Comment 4

13 years ago
Created attachment 148899 [details] [diff] [review]
proposed fix
(Assignee)

Comment 5

13 years ago
Comment on attachment 148899 [details] [diff] [review]
proposed fix

this was the fix I proposed all along...
Attachment #148899 - Flags: superreview?(mscott)
Attachment #148899 - Flags: review?(sspitzer)

Updated

13 years ago
Attachment #148899 - Flags: superreview?(mscott) → superreview+
Comment on attachment 148899 [details] [diff] [review]
proposed fix

r/a=sspitzer

I'm not sure why we just didn't do what david suggested.

david, should we back out http://bugzilla.mozilla.org/show_bug.cgi?id=157644
Attachment #148899 - Flags: review?(sspitzer)
Attachment #148899 - Flags: review+
Attachment #148899 - Flags: approval1.7+
(Assignee)

Comment 7

13 years ago
yes, we should back it out, just to remove the unneeded code and simplify it.
Fix got approvals on 5/19, is it checked in?
Whiteboard: [sg:fix]

Comment 9

13 years ago
I think your patch is short a parentheses :)

Updated

13 years ago
Whiteboard: [sg:fix] → fixed-aviary1.0, [sg:fix]
(Assignee)

Comment 10

13 years ago
fixed on branch, with added parenthesis
Keywords: fixed1.7
(Assignee)

Comment 11

13 years ago
or not - new cvsisn't working for this tree...
Keywords: fixed1.7

Comment 12

13 years ago
cleaning up 1.7 bug lists -- is this bug ready to be marked fixed?
(Assignee)

Updated

13 years ago
Keywords: fixed1.7
over to david who has the fix and is going to land on trunk (he already landed
on the branch).

I'll log a bug about backing out bug #157644.

note, if we need to test this we can use servterm
http://www.snapfiles.com/get/servterm.html to emulate an evil pop server.
Assignee: sspitzer → bienvenu
(Assignee)

Comment 14

13 years ago
fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Blocks: 245066
backing out the fix for bug #157644 is covered by bug #245066
Target Milestone: --- → mozilla1.7final
Adding Jon Granrose to CC list to help round up QA resources for verification

Comment 17

13 years ago
adding karen to verify on the 1.7 branch
Comment on attachment 148899 [details] [diff] [review]
proposed fix

a=blizzard for 1.4.3
Attachment #148899 - Flags: approval1.4.3+
And checked in.
Keywords: fixed1.4.3
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security

Comment 21

13 years ago
Since David mentioned that this bug need to be verified in the debugger, by
tweaking some values at runtime...
I had requested Seth to help for verifying this bug for 1.7....

Comment 22

13 years ago
Note: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0757 to this issue.
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.