Stefan Fritsch wrote: > Package: popfile > Severity: grave > Tags: security > > Cite: > POPFile before 0.22.4 allows remote attackers to cause a denial of > service (application crash) via unspecified vectors involving > character sets within e-mail messages. > > see also > http://popfile.sourceforge.net/cgi-bin/wiki.pl?ReleaseNotes/0.22.4 > > Please quote the CVE number in the Changelog
It seems that the relevant fix is what I'm attaching to this mail.
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
--- popfile-0.22.3/Classifier/MailParse.pm 2005-09-26 05:41:32.000000000
+0200
+++ popfile-0.22.4/Classifier/MailParse.pm 2006-02-16 12:36:16.000000000
+0100
@@ -1638,6 +1637,7 @@ sub parse_line
}
}
$line = decode_qp( $line );
+ $line =~ s/\x00/NUL/g;
}
# Decode \x??
@@ -1889,7 +1889,8 @@ sub decode_string
elsif ($encoding eq "Q" || $encoding eq "q") {
$value =~ s/\_/=20/g;
$value = decode_qp( $value );
-
+ $value =~ s/\x00/NUL/g;
+
# for Japanese header
if ($lang eq 'Nihongo') {
$value = convert_encoding( $value, $charset, 'euc-jp',
'7bit-jis', @{$encoding_candidates{$self->{lang__}}} );
signature.asc
Description: Digital signature
