Bug description: ---------------- The newsfetch package version 1.21 and (unofficial JRF's) 1.4 uses several insecure sscanf calls to read data out of a 501 byte buffer into a 100 byte buffer. These sscanf functions can be abused by malicious NNTP servers when sending large strings as a reply to a LIST request ( -l option ). Theoretically this issue can cause a security risk. However, I haven't been able to find an exploitable condition. Still it would be a good idea to patch this ;p Also note that the lack of sscanf result checking can easily cause newsfetch to crash when an uninitialized pointer is being used. For example, if the server banner doesn't start with a number (200) then newsfetch will crash immediately. Fix for the overflow: --------------------- niels@woof$ diff -u nntp.c.orig nntp.c --- nntp.c.orig Thu Jul 23 12:03:11 1998 +++ nntp.c Wed Jan 19 11:10:22 2005 @@ -140,7 +140,8 @@ else fprintf(rctmpfp,"%s",command_buf); } - items_read=sscanf(command_buf,"%s %d %d", group, &first_article, &max_article); + items_read=sscanf(command_buf,"%99s %d %d", group, &first_article, &max_article); + group[sizeof(group)-1] = '\0'; if(items_read < 2) return(0); return(items_read); @@ -334,12 +335,14 @@ if(!get_error2(command_buf)) exit(1); readNNTPdata(); - sscanf(command_buf,"%s",groupname); + sscanf(command_buf,"%99s",groupname); + groupname[sizeof(groupname)-1] = '\0'; while(command_buf[0] != '.' || command_buf[1] != 13 )/*|| command_buf[1] != 10)*/ { fprintf(stderr,"%s\n",groupname); readNNTPdata(); - sscanf(command_buf,"%s",groupname); + sscanf(command_buf,"%99s",groupname); + groupname[sizeof(groupname)-1] = '\0'; } exit(1);