COMMAND

    BeroList

SYSTEMS AFFECTED

    BeroList 2.5.9

PROBLEM

    Matthias Andree found following.  While it may or may not be prone
    to buffer overruns (it usually uses a calloc clone + strlen before
    sprintf, though Matthias did  not check thoroughly), it  virtually
    NEVER checks for return codes e. g. from fopen.

    To give  just one  example: Look  at the  unsubscribe function  in
    list.c, ll. 695ff:  It assumes salloc  succeeds (does not  check).
    It opens a  file, assuming it  is there (no  check if list  == 0),
    assumes  it  has  at  least  one  line  (see  the  i<=members loop
    condition on  the write  file.   It overwrites  that file  without
    backup.  Should the disk fill in that moment, the subscriber  list
    is truncated or lost entirely.

    We don't see where it locks against multiple running instances  to
    prevent trashing around, so there's a race condition if more  than
    one "list"  command are  active at  the same  time.  Should malloc
    fail (memory exhausted), berolist won't notice and crash.   Should
    a file be temporarily unaccessible (file descriptors  exchausted),
    berolist will crash.

    Look at list.c:831f:

        | 	pos=strstr(header,"\n\n")-header;
        | 	header[pos]='\0';

    It assumes there's no  CR.  Should there  be a CR, it  cannot tell
    header from body.

    Check out the extract function in  tool.c.  It does not deal  with
    folded lines. It does not  deal with multiple headers of  the same
    type  properly,  but  just  takes  the  first  one  (that  may  be
    tolerable, we did not check).

    The coding  quality in  general suggests  that the  author has now
    known  what  he's  been  doing.   It's a maintainability disaster.
    Look for  NT_SMTP_SERVER in  list.c to  get the  idea, instead  of
    deriving a  preprocessor directive  or a  const char  delimiter[],
    #ifdef for every single command.

    These should be reasons enough to NOT use BeroList 2.5.9.

SOLUTION

    The  initial  version  was  both  the  first  piece  of Linux (and
    general Unix)  code and  the first  piece of  C code  author wrote
    after converting  from the  Atari ST  + Pascal  + GFA-Basic world.
    He was a newbie at that time, and the code shows it.

    The further  releases were  mostly hacks  to keep  it working  for
    what he was using it for.

    If there will  be a further  version (uncertain at  this time), it
    will be a complete rewrite.