Hi.

During some testing, I came across a rather stupid and embarassing buffer
overflow in request.c in all Mathopd versions up to and including 1.5b13.
The problem is in the prepare_reply() function that allocates space for a
buffer on the stack that may be too small for whatever goes into it. This
can lead to crashes, or even system compromise. I am amazed that nobody
has spotted the problem before; obviously not many people are using this
software. :}

Anyway, I have patched things up now so that things should be ok.

Read the table below for any action that you must take if you run mathopd.
The table informs you, for each particular version, whether it is
vulnerable to remote exploits of this bug, and whether an upgrade exists,
and which one you should use.

Branch/Version   Status
---------------------------------------------------------------------
1.2 and older    Probably vulnerable, not supported
1.3 before pl8   Probably vulnerable, upgrade advised
1.3pl8           Patched, otherwise not supported (use 1.4p2 instead)
1.4 before p2    Definitely vulnerable, upgrade immediately to 1.4p2
1.4p2            Not vulnerable

BETA versions:

1.5 before b14   Vulnerable
1.5b14           Not vulnerable
---------------------------------------------------------------------

In short: all versions in the 1.3, 1.4 and current branch are fixed (at
least for this particular problem.) If you run 1.3 at this moment, you may
be all right, but it is probably wise to upgrade anyway. If you run 1.4
right now you are in trouble; please upgrade as soon as possible.

The patched versions are available for immediate download on the Mathopd
website.

Sorry about this. This has not been a good week.

Cheers
Michiel

Reply via email to