>Number:         8371
>Category:       pkg
>Synopsis:       a free'd ndbm memory reference in the qpopper's APOP code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager (NetBSD software packages system bug manager)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 10 18:20:00 1999
>Last-Modified:
>Originator:     Kawamoto Yosihisa
>Organization:
	tenjin.org
>Release:        1999/9/9
>Environment:
	note pc(SONY VAIO PCG-505RX)
System: NetBSD rerun.tenjin.org 1.4K NetBSD 1.4K (RERUN) #216: Wed Sep 8 20:51:08 JST 1999 kawamoto@rerun.tenjin.org:/usr/src/sys/arch/i386/compile/RERUN i386


>Description:
	  In the package qpopper-2.53, there may be a free'd memory
	reference in an APOP code.
	  The dbm_fetch'ed string is unavailable after dbm_close.
	so APOP authorizations are always failed with a false string.
>How-To-Repeat:
	  Just install the qpopper-2.53 package and use an APOP
	authentication.
>Fix:
	  Apply a following patch.  This code is safe because the
	function obscure() duplicates a argument string before dbm_close.

--- pop_apop.c-	Fri Jul 10 08:44:07 1998
+++ pop_apop.c	Sat Sep 11 09:09:30 1999
@@ -178,6 +178,8 @@
 	dbm_close (db);
 #endif
 	return(pop_auth_fail(p, POP_FAILURE, "not authorized"));
+    } else {
+	ddatum.dptr = obscure(ddatum.dptr);
     }
 
 #ifdef GDBM
@@ -189,7 +191,7 @@
 
     MD5Init(&mdContext);
     MD5Update(&mdContext, (unsigned char *)p->md5str, strlen(p->md5str));
-    MD5Update(&mdContext, (unsigned char *)obscure(ddatum.dptr), (ddatum.dsize - 1));
+    MD5Update(&mdContext, (unsigned char *)ddatum.dptr, (ddatum.dsize - 1));
     MD5Final(digest, &mdContext);
 
     cp = buffer;
>Audit-Trail:
>Unformatted: