Re: [hypermail] Hypermail security

From: Peter C. McCluskey <pcm_at_rahul.net_at_hypermail-project.org>
Date: Tue, 13 Nov 2001 11:29:32 -0800 (PST)
Message-Id: <20011113192932.5EEC81D84_at_foxtrot.rahul.net>

 daniel_at_haxx.se (Daniel Stenberg) writes:
>On Mon, 12 Nov 2001, Franklin DeMatto wrote:
>> Has hypermail been audited for other security issues?
>
>Not explicitly, not to my knowledge at least.

 I doubt there has been any thorough security check. It appears to me that we have done a fairly good job of avoiding security problems, but I wouldn't bet large amounts of money on it, and would encourage people to check the code themselves.

>> Buffer overflows,
>
>A long time ago I did go through pretty much all the hypermail code and
>removed all the static buffer sizes of that time (with or without length
>checks). Before that, hypermail was ridden with lots of buffer overflow
>potentials. Of course, we might have missed some cases and we might have
>added new ones since.

 You did a good enough job that I can't think of any realistic buffer overflows that have been found since then (they were pretty common before), but you didn't come very close to removing all fixed-size buffers.  For example, the hashnumlookup routine has a buffer that would overflow on a machine where ints are more than 32 bits if someone could send 10**10 messages. But that appears to require several terabytes of mail, and hypermail isn't about to process that fast enough that it could go unnoticed.

>> and creation of local files with evil names (such as unwanted extensions)
>> or properties (such as double dots in paths or x-bit on) come to mind.
>
>Hm, yes. This might be possible. I can't recall off the top of my head how
>hypermail treats all file names passed to it in attachments etc.

 Attachment file names are filtered through the safe_filename routine, which insures that only characters passing this test are allowed in those names:

        if ((*np >= 'a' && *np <= 'z') || (*np >= '0' && *np <= '9') ||
            (*np >= 'A' && *np <= 'Z') || (*np == '-') || (*np == '.') ||
            (*np == ':') || (*np == '_')) {
 So a filename with ".." in the middle is possible, but since it doesn't appear that a / or \ can be put near the dots, I haven't been able to find a way to exploit this.

 I believe that all files created by hypermail are chmod'ed to 0644 by default. Altering this would require something like write access to ~/.hmrc.



Peter McCluskey | Free Dmitry Sklyarov! http://www.freesklyarov.org/ http://www.rahul.net/pcm | Received on Tue 13 Nov 2001 09:34:47 PM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:12 AM GMT GMT