Bug description:
----------------

An overflow exists in the socket_getline() function. This function
reads a string from the socket into a given array and is used by
the nntp_get_response function.

The problem code is:

        while (TRUE) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);
                read_count += retval;
                pi++;
                if (buffer[i] == '\n')
                        break;
                i++;
        }

The pi array is the buffer and data is read into it until a '\n'
is received.  So to overflow the buffer one has to provide a long
string without newline characters.

Testing the overflow:
---------------------

Create a server:
perl -e 'print "A" x 1024;print "BBBBCCCCDDDDEEEE"'|  nc -v -l -p 119

Connect to it:
newspost  -s test -i localhost -f me@me.nl -n news.news  /etc/hosts

Break the connection by ^C'ing the netcat and you will see that
newspost segfaults immediately.

Fix for the problem:
--------------------

A rather simple fix would be to apply the patch below. It does the
job because all buffers handed to the socket_getline function are
STRING_BUFSIZE big.

--- base/socket.c.orig  Tue Jan 18 11:08:02 2005
+++ base/socket.c       Tue Jan 18 11:10:08 2005
@@ -126,7 +126,7 @@

        i = 0;
        pi = buffer;
-       while (TRUE) {
+       while (read_count < STRING_BUFSIZE - 1) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);