From tin at chmurka.net Fri Apr 10 22:28:54 2026 From: tin at chmurka.net (Adam W.) Date: Fri, 10 Apr 2026 22:28:54 +0200 (CEST) Subject: [tin-bugs] tin 2.6.5 crashes when accessing article Message-ID: Hi, tin 2.6.5 crashes with "realloc(): invalid next size" when accessing one specific article. System is amd64 (x86_64), Debian 13.4, kernel 6.12.74+deb13+1-amd64. Console charset is utf-8. Message-ID is: Article is available for reading on my server: news.chmurka.net It can be reproduced with: tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl Backtrace after rebuilding tin with -O0 -g: #7 0x000055f3a33273ca in my_realloc1 (file=0x55f3a339a1c0 "./cook.c", line=203, p=0x55f3dad1d320, size=73) at ./memory.c:748 #8 0x000055f3a32f204a in expand_ctrl_chars (line=0x7ffda917b848, length=0x7ffda917b838, lcook_width=8) at ./cook.c:203 #9 0x000055f3a32f7422 in process_text_body_part (wrap_lines=1, in=0x55f3daa470f0, charset=0x55f3daa132c0 "iso-8859-2", part=0x55f3daa0b650, hide_inline_data=1) at ./cook.c:1871 #10 0x000055f3a32f8753 in cook_article (wrap_lines=1, artinfo=0x55f3a35c9ac0 , hide_inline_data=1, show_all_headers=0) at ./cook.c:2334 #11 0x000055f3a3368ca4 in art_open (wrap_lines=1, art=0x7fd6d52c2c40, group=0x7fd6d5bff300, artinfo=0x55f3a35c9ac0 , show_progress_meter=1, pmesg=0x55f3a33a7bf0 "Reading ('q' to quit)...") at ./rfc2046.c:2078 #12 0x000055f3a334a8e2 in load_article (new_respnum=57638, group=0x7fd6d5bff300) at ./page.c:1860 #13 0x000055f3a3346d8d in show_page (group=0x7fd6d5bff300, start_respnum=57638, threadnum=0x0) at ./page.c:347 #14 0x000055f3a337917d in show_article_by_msgid (messageid=0x0) at ./select.c:2270 #15 0x000055f3a3374ad5 in selection_page (start_groupnum=0, num_cmd_line_groups=0) at ./select.c:398 #16 0x000055f3a3321a6c in main (argc=5, argv=0x7ffda917cc08) at ./main.c:556 But I doubt it will be useful, as the heap is most likely corrupted by something that happened before. I ran it with valgrind, but it doesn't crash then, it properly shows the article. Here's the valgrind log -- might it be buffer_to_local() or process_charsets()? ==15564== Memcheck, a memory error detector ==15564== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. ==15564== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info ==15564== Command: ./tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl ==15564== Parent PID: 15223 ==15564== ==15564== Invalid write of size 1 ==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564) ==15564== by 0x186000: buffer_to_local (misc.c:2772) ==15564== by 0x1861C9: process_charsets (misc.c:2871) ==15564== by 0x14BB86: process_text_body_part (cook.c:1307) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== Invalid read of size 1 ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== Invalid read of size 1 ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== Invalid read of size 1 ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== ==15564== Invalid read of size 1 ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== ==15564== ==15564== HEAP SUMMARY: ==15564== in use at exit: 17,831 bytes in 25 blocks ==15564== total heap usage: 1,390,172 allocs, 1,390,147 frees, 769,855,444 bytes allocated ==15564== ==15564== 19 bytes in 1 blocks are definitely lost in loss record 5 of 25 ==15564== at 0x4844818: malloc (vg_replace_malloc.c:446) ==15564== by 0x17FE4B: my_malloc1 (memory.c:688) ==15564== by 0x1D6061: my_strdup (string.c:149) ==15564== by 0x1D1DB9: save_restore_curr_group (select.c:1144) ==15564== by 0x1D407F: show_article_by_msgid (select.c:2161) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== LEAK SUMMARY: ==15564== definitely lost: 19 bytes in 1 blocks ==15564== indirectly lost: 0 bytes in 0 blocks ==15564== possibly lost: 0 bytes in 0 blocks ==15564== still reachable: 17,812 bytes in 24 blocks ==15564== suppressed: 0 bytes in 0 blocks ==15564== Reachable blocks (those to which a pointer was found) are not shown. ==15564== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==15564== ==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0) ==15564== ==15564== 4 errors in context 1 of 6: ==15564== Invalid read of size 1 ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== ==15564== ==15564== 4 errors in context 2 of 6: ==15564== Invalid read of size 1 ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1A5422: resize_article (page.c:2178) ==15564== by 0x1D57F5: handle_resize (signal.c:310) ==15564== by 0x1502F9: ReadCh (curses.c:1144) ==15564== by 0x15EE7A: handle_keypad (global.c:364) ==15564== by 0x1A0F29: show_page (page.c:354) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== ==15564== ==15564== 4 errors in context 3 of 6: ==15564== Invalid read of size 1 ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== ==15564== 4 errors in context 4 of 6: ==15564== Invalid read of size 1 ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== ==15564== 8 errors in context 5 of 6: ==15564== Invalid write of size 1 ==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564) ==15564== by 0x186000: buffer_to_local (misc.c:2772) ==15564== by 0x1861C9: process_charsets (misc.c:2871) ==15564== by 0x14BB86: process_text_body_part (cook.c:1307) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) ==15564== by 0x14EC09: cook_article (cook.c:2334) ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) ==15564== by 0x1A4AAB: load_article (page.c:1860) ==15564== by 0x1A0E94: show_page (page.c:347) ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) ==15564== by 0x1CF38D: selection_page (select.c:132) ==15564== by 0x17A103: main (main.c:556) ==15564== ==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0) Adam From urs at akk.org Sat Apr 11 03:20:41 2026 From: urs at akk.org (Urs =?iso-8859-1?Q?Jan=DFen?=) Date: Sat, 11 Apr 2026 03:20:41 +0200 Subject: [tin-bugs] tin 2.6.5 crashes when accessing article In-Reply-To: References: Message-ID: fullquote as I put Dennis in Bcc On Fri, Apr 10, 2026 at 10:28:54PM +0200, Adam W. wrote: > Hi, > > tin 2.6.5 crashes with "realloc(): invalid next size" when accessing > one specific article. > > System is amd64 (x86_64), Debian 13.4, kernel 6.12.74+deb13+1-amd64. > Console charset is utf-8. > > Message-ID is: > > Article is available for reading on my server: news.chmurka.net > > It can be reproduced with: > > tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl I can't reproduce that (tried with gcc -fsanitize=address,undefined,leak and with running from valgrind: both without any issues) with the current code base (see below) x86_64-pc-linux-gnu, debian linux 6.18.15+deb14-amd64, LC_CTYPE=en_US.UTF-8 could you try which is my current code base? I doubt it will give a diffrent result, but just to be sure ...). > Backtrace after rebuilding tin with -O0 -g: > > #7 0x000055f3a33273ca in my_realloc1 (file=0x55f3a339a1c0 "./cook.c", line=203, p=0x55f3dad1d320, size=73) at ./memory.c:748 > #8 0x000055f3a32f204a in expand_ctrl_chars (line=0x7ffda917b848, length=0x7ffda917b838, lcook_width=8) at ./cook.c:203 > #9 0x000055f3a32f7422 in process_text_body_part (wrap_lines=1, in=0x55f3daa470f0, charset=0x55f3daa132c0 "iso-8859-2", part=0x55f3daa0b650, hide_inline_data=1) at ./cook.c:1871 > #10 0x000055f3a32f8753 in cook_article (wrap_lines=1, artinfo=0x55f3a35c9ac0 , hide_inline_data=1, show_all_headers=0) at ./cook.c:2334 > #11 0x000055f3a3368ca4 in art_open (wrap_lines=1, art=0x7fd6d52c2c40, group=0x7fd6d5bff300, artinfo=0x55f3a35c9ac0 , show_progress_meter=1, pmesg=0x55f3a33a7bf0 "Reading ('q' to quit)...") at ./rfc2046.c:2078 > #12 0x000055f3a334a8e2 in load_article (new_respnum=57638, group=0x7fd6d5bff300) at ./page.c:1860 > #13 0x000055f3a3346d8d in show_page (group=0x7fd6d5bff300, start_respnum=57638, threadnum=0x0) at ./page.c:347 > #14 0x000055f3a337917d in show_article_by_msgid (messageid=0x0) at ./select.c:2270 > #15 0x000055f3a3374ad5 in selection_page (start_groupnum=0, num_cmd_line_groups=0) at ./select.c:398 > #16 0x000055f3a3321a6c in main (argc=5, argv=0x7ffda917cc08) at ./main.c:556 > > But I doubt it will be useful, as the heap is most likely corrupted by > something that happened before. > > I ran it with valgrind, but it doesn't crash then, it properly shows the > article. Here's the valgrind log -- might it be buffer_to_local() or > process_charsets()? > > ==15564== Memcheck, a memory error detector > ==15564== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. > ==15564== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info > ==15564== Command: ./tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl > ==15564== Parent PID: 15223 > ==15564== > ==15564== Invalid write of size 1 > ==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564) > ==15564== by 0x186000: buffer_to_local (misc.c:2772) > ==15564== by 0x1861C9: process_charsets (misc.c:2871) > ==15564== by 0x14BB86: process_text_body_part (cook.c:1307) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== > ==15564== Invalid read of size 1 > ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) > ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== > ==15564== Invalid read of size 1 > ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== > ==15564== Invalid read of size 1 > ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) > ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== > ==15564== Invalid read of size 1 > ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== > ==15564== > ==15564== HEAP SUMMARY: > ==15564== in use at exit: 17,831 bytes in 25 blocks > ==15564== total heap usage: 1,390,172 allocs, 1,390,147 frees, 769,855,444 bytes allocated > ==15564== > ==15564== 19 bytes in 1 blocks are definitely lost in loss record 5 of 25 > ==15564== at 0x4844818: malloc (vg_replace_malloc.c:446) > ==15564== by 0x17FE4B: my_malloc1 (memory.c:688) > ==15564== by 0x1D6061: my_strdup (string.c:149) > ==15564== by 0x1D1DB9: save_restore_curr_group (select.c:1144) > ==15564== by 0x1D407F: show_article_by_msgid (select.c:2161) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== I vaguly remeber that there was an issue with 'L' in 2.6.5 which is fixed in the current code: BUG. old artnum in thread was lost after 'L' from thread-level but the above looks somewhat different. I'll give 2.6.5 a try tomorrow. > ==15564== LEAK SUMMARY: > ==15564== definitely lost: 19 bytes in 1 blocks > ==15564== indirectly lost: 0 bytes in 0 blocks > ==15564== possibly lost: 0 bytes in 0 blocks > ==15564== still reachable: 17,812 bytes in 24 blocks > ==15564== suppressed: 0 bytes in 0 blocks > ==15564== Reachable blocks (those to which a pointer was found) are not shown. > ==15564== To see them, rerun with: --leak-check=full --show-leak-kinds=all > ==15564== > ==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0) > ==15564== > ==15564== 4 errors in context 1 of 6: > ==15564== Invalid read of size 1 > ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== > ==15564== > ==15564== 4 errors in context 2 of 6: > ==15564== Invalid read of size 1 > ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) > ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x67fbf69 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1A5422: resize_article (page.c:2178) > ==15564== by 0x1D57F5: handle_resize (signal.c:310) > ==15564== by 0x1502F9: ReadCh (curses.c:1144) > ==15564== by 0x15EE7A: handle_keypad (global.c:364) > ==15564== by 0x1A0F29: show_page (page.c:354) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== > ==15564== > ==15564== 4 errors in context 3 of 6: > ==15564== Invalid read of size 1 > ==15564== at 0x148491: expand_ctrl_chars (cook.c:177) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== > ==15564== > ==15564== 4 errors in context 4 of 6: > ==15564== Invalid read of size 1 > ==15564== at 0x484DCF4: __strlen_sse2 (vg_replace_strmem.c:507) > ==15564== by 0x14BB95: process_text_body_part (cook.c:1308) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== > ==15564== > ==15564== 8 errors in context 5 of 6: > ==15564== Invalid write of size 1 > ==15564== at 0x484DE16: strcpy (vg_replace_strmem.c:564) > ==15564== by 0x186000: buffer_to_local (misc.c:2772) > ==15564== by 0x1861C9: process_charsets (misc.c:2871) > ==15564== by 0x14BB86: process_text_body_part (cook.c:1307) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== Address 0x5074d99 is 0 bytes after a block of size 73 alloc'd > ==15564== at 0x484BDD0: realloc (vg_replace_malloc.c:1801) > ==15564== by 0x17FFBE: my_realloc1 (memory.c:748) > ==15564== by 0x1484DF: expand_ctrl_chars (cook.c:203) > ==15564== by 0x14D8DB: process_text_body_part (cook.c:1871) > ==15564== by 0x14EC09: cook_article (cook.c:2334) > ==15564== by 0x1C3D9D: art_open (rfc2046.c:2078) > ==15564== by 0x1A4AAB: load_article (page.c:1860) > ==15564== by 0x1A0E94: show_page (page.c:347) > ==15564== by 0x1D4551: show_article_by_msgid (select.c:2270) > ==15564== by 0x1CF38D: selection_page (select.c:132) > ==15564== by 0x17A103: main (main.c:556) > ==15564== > ==15564== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 0 from 0) > > Adam From urs at akk.org Sat Apr 11 13:04:04 2026 From: urs at akk.org (Urs =?iso-8859-1?Q?Jan=DFen?=) Date: Sat, 11 Apr 2026 13:04:04 +0200 Subject: [tin-bugs] tin 2.6.5 crashes when accessing article In-Reply-To: References: Message-ID: On Fri, Apr 10, 2026 at 10:28:54PM +0200, Adam W. wrote: > It can be reproduced with: > > tin -g news.chmurka.net -L slrn10sdakm.1ro9b.jaros at falcon.lasek.waw.pl after recompiling _without_ MULTIBYTE_ABLE (that's why the manual states that mail-bugreport from inside tin should be used as that will include (some of) the relevant defines) if could reproduce it. the following should help (diff from the current 2.6.6er branch, but it should apply with a small offset to 2.6.5) === modified file 'src/misc.c' --- old/src/misc.c 2026-04-09 04:45:44 +0000 +++ new/src/misc.c 2026-04-11 10:41:45 +0000 @@ -2780,8 +2780,8 @@ } while (inbytesleft > 0); *outbuf = '\0'; - if (*max_line_len < strlen(obuf)) { - *max_line_len = strlen(obuf); + if (*max_line_len <= strlen(obuf) +1 ) { + *max_line_len = strlen(obuf) + 1; *line = my_realloc(*line, *max_line_len + 1); } strcpy(*line, obuf); From tin at chmurka.net Sun Apr 12 01:49:36 2026 From: tin at chmurka.net (Adam W.) Date: Sun, 12 Apr 2026 01:49:36 +0200 (CEST) Subject: [tin-bugs] tin 2.6.5 crashes when accessing article In-Reply-To: References: Message-ID: <71e5d17b-b84b-b022-66f1-661fbf1db675@chmurka.net> On Sat, 11 Apr 2026, Urs Jan?en wrote: Hi Urs, > after recompiling _without_ MULTIBYTE_ABLE (that's why the manual > states that mail-bugreport from inside tin should be used as that > will include (some of) the relevant defines) if could reproduce it. Sorry, I just got home and couldn't do it earlier, but I see you already figured it out. Great, thank you :) Actually it's interesting that it manifested only without MULTIBYTE_ABLE, as I do have this set. Here's my characteristics from the bug report function: Characteristics: -DEBUG +NNTP_ONLY -NO_POSTING -USE_ZLIB +ENABLE_IPV6 -HAVE_COREFILE -HAVE_FASCIST_NEWSADMIN -NO_SHELL_ESCAPE -DISABLE_PRINTING -DONT_HAVE_PIPING -NO_ETIQUETTE +HAVE_LONG_FILE_NAMES +APPEND_PID -HAVE_MH_MAIL_HANDLING +HAVE_COLOR +HAVE_ISPELL -HAVE_METAMAIL -HAVE_PGP -HAVE_PGPK -HAVE_GPG +MIME_BREAK_LONG_LINES -MIME_STRICT_CHARSET +CHARSET_CONVERSION_{ICONV} +MULTIBYTE_ABLE +NO_LOCALE -USE_ICU_UCSDET -USE_LONG_ARTICLE_NUMBERS +USE_CANLOCK -EVIL_INSIDE -FORGERY -TINC_DNS -ENFORCE_RFC1034 -REQUIRE_BRACKETS_IN_DOMAIN_LITERAL -ALLOW_FWS_IN_NEWSGROUPLIST And ./configure syntax from config.log (formatted for readability): ./configure \ --prefix=/usr/local \ --with-editor=/usr/bin/nano \ --enable-nntp-only \ --with-ncurses \ --with-domain-name=localdomain.invalid \ --disable-mime-strict-charset \ --with-mime-default-charset=utf-8 \ --with-nntp-default-server=news.chmurka.net \ --disable-nls \ --disable-locale \ --enable-cancel-locks > the following should help (diff from the current 2.6.6er branch, > but it should apply with a small offset to 2.6.5) I confirm, it doesn't crash now. Thanks again, Adam From urs at tin.org Sun Apr 12 03:38:44 2026 From: urs at tin.org (Urs =?iso-8859-1?Q?Jan=DFen?=) Date: Sun, 12 Apr 2026 03:38:44 +0200 Subject: [tin-bugs] tin 2.6.5 crashes when accessing article In-Reply-To: <71e5d17b-b84b-b022-66f1-661fbf1db675@chmurka.net> References: <71e5d17b-b84b-b022-66f1-661fbf1db675@chmurka.net> Message-ID: On Sun, Apr 12, 2026 at 01:49:36AM +0200, Adam W. wrote: > Actually it's interesting that it manifested only without MULTIBYTE_ABLE, or with set NO_LOCALE (but that didn't reproduce it on my side), both use the same codepath > as I do have this set. Here's my characteristics from the bug report > function: > > Characteristics: > -DEBUG +NNTP_ONLY -NO_POSTING > -USE_ZLIB +ENABLE_IPV6 -HAVE_COREFILE -HAVE_FASCIST_NEWSADMIN > -NO_SHELL_ESCAPE -DISABLE_PRINTING -DONT_HAVE_PIPING -NO_ETIQUETTE > +HAVE_LONG_FILE_NAMES +APPEND_PID -HAVE_MH_MAIL_HANDLING +HAVE_COLOR > +HAVE_ISPELL -HAVE_METAMAIL -HAVE_PGP -HAVE_PGPK -HAVE_GPG > +MIME_BREAK_LONG_LINES -MIME_STRICT_CHARSET > +CHARSET_CONVERSION_{ICONV} +MULTIBYTE_ABLE +NO_LOCALE ^^^^^^^^^^ *bingo* From tin at chmurka.net Tue Apr 14 15:18:40 2026 From: tin at chmurka.net (Adam W.) Date: Tue, 14 Apr 2026 15:18:40 +0200 (CEST) Subject: [tin-bugs] Possible shell injection via group name Message-ID: Hi, Let's assume the scenario: 1. User configures a signature command containing %G 2. Group name is substitued to the shell command 3. Group name is wrapped in double quotes (sigfile.c, msg_write_signature()), but it assumes that the group name is sane. Double quotes or other shell characters, like `, $ or \, are not escaped 4. Malicious server sends a group called: group"; rm -rf ~;" 5. A malicious command gets injected into popen() Do you think it's a real vulnerability? string.c contains sh_format(), maybe it would be a good idea to use it? From urs at tin.org Tue Apr 14 17:02:24 2026 From: urs at tin.org (Urs =?iso-8859-1?Q?Jan=DFen?=) Date: Tue, 14 Apr 2026 17:02:24 +0200 Subject: [tin-bugs] Possible shell injection via group name In-Reply-To: References: Message-ID: On Tue, Apr 14, 2026 at 03:18:40PM +0200, Adam W. wrote: > 1. User configures a signature command containing %G > 2. Group name is substitued to the shell command > 3. Group name is wrapped in double quotes (sigfile.c, > msg_write_signature()), but it assumes that the group name is sane. > Double quotes or other shell characters, like `, $ or \, are not > escaped > 4. Malicious server sends a group called: group"; rm -rf ~;" that's not a valid group name. group names must not contain space (0x20), but I didn't check tins code if it validates it (everywhere), but if e.g. LIST ACTIVE/LIST COUNTS is used (default), the response is splitted at whitespaces, so such a group will never make it into the list of know groups to tin (cut at first space); you could some junk in your newsrc, group name are not splitted at WS when parsing it but at : or ! but then it would need a server to also hold some matching junk so you could try to post something and thus invoke signature generattion expanding %G - very very hypothetic. anyway, rejecting groups with WS in the from newsrc is easy: === modified file 'src/newsrc.c' --- old/src/newsrc.c 2026-04-12 08:34:09 +0000 +++ new/src/newsrc.c 2026-04-14 14:30:27 +0000 @@ -1754,6 +1754,9 @@ tmp = ptr; /* Keep this blank for later */ *(ptr++) = '\0'; /* Terminate the group name */ + if (strpbrk(ptr, " \t")) != NULL) /* minimalistic name validation */ + return NULL; + #if 0 if (ptr == NULL) /* No seq info, so return a blank */ return tmp; leaving the -L cmd.-line or 'L' cmd. case where the server may return an (not yet validated group name). something like the above in select.c:lookup_msgid() ~2025 should do, e.g. === modified file 'src/select.c' --- old/src/select.c 2026-04-07 20:02:10 +0000 +++ new/src/select.c 2026-04-14 14:59:03 +0000 @@ -2022,8 +2022,13 @@ } } } - if (x) + if (x) { + if ((e = strpbrk(x, " \t"))) { + if (e < strchr(x, ':')) + return NULL; + } return x; + } if (!r) { # ifdef DEBUG I may have "overlooked" a way where tin uses a server replied groupname which isn't rejected beforehand (and just rejecting the ones with WS may not be enough), but as the scenario is very hypothetic ... > 5. A malicious command gets injected into popen() > > Do you think it's a real vulnerability? no really, I bet there are much more likely code injection possibillities in the code :-P > string.c contains sh_format(), maybe it would be a good idea to use it? as long as you don't break the functionallity of e.g. sigfile=!echo %G|tr '[A-M][a-m][N-Z][n-z]' '[N-Z][n-z][A-M][a-m]' feel free to send a patch. From urs at tin.org Tue Apr 14 17:10:30 2026 From: urs at tin.org (Urs =?UTF-8?Q?Jan=C3=9Fen?=) Date: Tue, 14 Apr 2026 17:10:30 +0200 Subject: [tin-bugs] Possible shell injection via group name References:

Message-ID: Urs Jan?en wrote: > === modified file 'src/newsrc.c' > --- old/src/newsrc.c 2026-04-12 08:34:09 +0000 > +++ new/src/newsrc.c 2026-04-14 14:30:27 +0000 > @@ -1754,6 +1754,9 @@ > tmp = ptr; /* Keep this blank for later */ > *(ptr++) = '\0'; /* Terminate the group name */ > > + if (strpbrk(ptr, " \t")) != NULL) /* minimalistic name validation */ that should be if (strpbrk(line, " \t")) != NULL) not ptr.