jbuck@epimass.EPI.COM (Joe Buck) (12/14/87)
In article <3618@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >pep@princeton.Princeton.EDU (Pat Parseghian) wrote: >> - The offending articles are the only ones in my history file with a "%" in a >> Message-ID. >> - One of the articles (<INFO-M2%87120818260493@UCF1VM>) has a References line >> that is not a valid Message-ID (to the best of my understanding). > >It occurs to me that if somehow a string like this was passed to "printf" >or maybe "scanf", the big number after the % might cause havoc, like an >attempt to malloc() a large amount of memory. With John's posting as a clue, I looked for unprotected printf calls, and I believe I've found it. In the broadcast function in file ifuncs.c, there appears the call log (sentbuf); "sentbuf" is a string formed by strcat calls; the result is a line in your /usr/lib/news/log file like Dec 13 13:08 ucat <2224@dasys1.UUCP> sent to epiwrl, frs, csi The first argument to "log" is a printf format string. It contains the message-ID. So any message-ID with a % is potentially fatal to inews. Solution: change this call, and any others, to never give a first argument to log or logerr unless it's certain there's no % in it. Meanwhile, it might be a good idea for those people whose message IDs contain a % to change them, since it'll take a while to get this bug fixed everywhere. This is even though it's a perfectly legal Mesage-ID according to the standard. -- - Joe Buck {uunet,ucbvax,sun,decwrl,<smart-site>}!epimass.epi.com!jbuck Old internet mailers: jbuck%epimass.epi.com@uunet.uu.net