On Mon, Feb 13, 2006 at 12:45:46PM +0100, Ulf Harnhammar wrote: > > How is this not [potentially] exploitable? > > Well, because of the error message that it prints, and because of > the way things look in gdb (if I remember correctly, it crashes in > strtok() or some similar function). I've been taught that this > signifies not being exploitable, but I may be wrong.
In my quick test with 2.7-50 from sid, it's the safety checks in _int_free() that abort the process. > What do the others in the Debian Security Audit Project think about > this? | From: <[EMAIL PROTECTED]> | To: <[EMAIL PROTECTED]> | Subject: metamail crash bug | | *** glibc detected *** free(): invalid next size (normal): 0x0805fc30 *** | Aborted | [EMAIL PROTECTED]:~$ This may in fact be exploitable. The error indicates that a malloc chunk header has been corrupted. Depending on the exact circumstances - the version of glibc and the order of memory allocations/frees in metamail - this may (or may not) be possible to use for writing to arbitrary memory locations. Without having looked at it in detail, I would consider this bug exploitable unless it's proven not to be. cheers, Max -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
