Subject: pkg/8371: a free'd ndbm memory reference in the qpopper's APOP code
To: None <>
From: None <>
List: netbsd-bugs
Date: 09/10/1999 20:54:49
>Number:         8371
>Category:       pkg
>Synopsis:       a free'd ndbm memory reference in the qpopper's APOP code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager (NetBSD software packages system bug manager)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 10 18:20:00 1999
>Originator:     Kawamoto Yosihisa
>Release:        1999/9/9
	note pc(SONY VAIO PCG-505RX)
System: NetBSD 1.4K NetBSD 1.4K (RERUN) #216: Wed Sep 8 20:51:08 JST 1999 i386

	  In the package qpopper-2.53, there may be a free'd memory
	reference in an APOP code.
	  The dbm_fetch'ed string is unavailable after dbm_close.
	so APOP authorizations are always failed with a false string.
	  Just install the qpopper-2.53 package and use an APOP
	  Apply a following patch.  This code is safe because the
	function obscure() duplicates a argument string before dbm_close.

--- pop_apop.c-	Fri Jul 10 08:44:07 1998
+++ pop_apop.c	Sat Sep 11 09:09:30 1999
@@ -178,6 +178,8 @@
 	dbm_close (db);
 	return(pop_auth_fail(p, POP_FAILURE, "not authorized"));
+    } else {
+	ddatum.dptr = obscure(ddatum.dptr);
 #ifdef GDBM
@@ -189,7 +191,7 @@
     MD5Update(&mdContext, (unsigned char *)p->md5str, strlen(p->md5str));
-    MD5Update(&mdContext, (unsigned char *)obscure(ddatum.dptr), (ddatum.dsize - 1));
+    MD5Update(&mdContext, (unsigned char *)ddatum.dptr, (ddatum.dsize - 1));
     MD5Final(digest, &mdContext);
     cp = buffer;