ssmtp dies with standardise() -- Buffer overflow

Bug #282424 reported by Brendan Boerner on 2008-10-12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ssmtp (Ubuntu)
Nicolas Valcarcel

Bug Description

Binary package hint: ssmtp

A line which begins with a period ('.') and is BUZ_SZ - 1 (e.g. 2047) or longer in length (not counting \n) will die() with:

ssmtp: standardise() -- Buffer overflow

This is a specific case. The general case is if a buffer passed into standardise() begins with a period and is BUF_SZ - 1 bytes in length will produce this error.

I think the fix is to call fgets() with sizeof(buf) - 2 instead of sizeof(buf) in ssmtp().

With this fix another problem is that in the sent e-mail the line is truncated by two bytes. The fix is to use (BUF_SZ) in smtp_write() instead of (BUF_SZ - 2).

Index: ssmtp.c
--- ssmtp.c (revision 57)
+++ ssmtp.c (working copy)
@@ -1361,7 +1361,7 @@
  ssize_t outbytes = 0;

  va_start(ap, format);
- if(vsnprintf(buf, (BUF_SZ - 2), format, ap) == -1) {
+ if(vsnprintf(buf, BUF_SZ, format, ap) == -1) {
   die("smtp_write() -- vsnprintf() failed");
@@ -1628,7 +1628,7 @@

  /* don't hang forever when reading from stdin */
  while(!feof(stdin) && timeout < MEDWAIT) {
- if (!fgets(buf, sizeof(buf), stdin)) {
+ if (!fgets(buf, sizeof(buf)-2, stdin)) {
    /* if nothing was received, then no transmission
     * over smtp should be done */

I mislabaled test_cast.001. The correct description should be:

Demonstrate that a line which is BUZ_SZ - 1 in length (not counting \n) beginning with a period will die().

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ssmtp - 2.62-1ubuntu3

ssmtp (2.62-1ubuntu3) intrepid; urgency=low

  * SECURITY UPDATE: allow remote attackers to obtain sensitive
    information (LP: #278978)
  * debian/patches/02-CVE-2008-3962: adjust in ssmtp.c to fix
    unitialized memory disclosure.
  * SECURITY UPDATE: Buffer overflow (LP: #282424)
  * debian/patches/03_fix_buffer_overflow: adjust ssmtp.c to fix
    a buffer overflow with using 2 bytes in length instead of one in buffer.
  * References:

 -- Stefan Ebner <email address hidden> Tue, 07 Oct 2008 16:22:39 +0200

Changed in ssmtp:
status: New → Fix Released

The fix for does not address this bug.

Changed in ssmtp:
status: Fix Released → Incomplete
Kees Cook (kees) wrote :

Published in the -security pocket now.

Changed in ssmtp:
assignee: nobody → nvalcarcel
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.