COMMAND

	newsreader nn remote format string vulnerability

SYSTEMS AFFECTED

	nn 6.6.3 or prior

PROBLEM

	In zillion [zillion@snosoft.com] Safemode.org security advisory :
	

	Malicious server owners can use this vulnerability to  execute  code  on
	systems that are connected with affected clients.
	

	A server response such as this can be used to trigger this issue:
	

	100 AAAABBBB%10\\$x%11\\$x

	

	If such  a  response  is  received,  the  nn  client  will  display  the
	following:
	

	100 AAAABBBB4141414142424242

	

	The problem  is  that  the  following  function  is  being  called  with
	nn_exitmsg(1, line) in the nntp.c file
	

	void nn_exitmsg(int n, char *fmt,...)

	{

	    va_list     ap;

	

	    va_start(ap, fmt);

	    vprintf(fmt, ap);

	    putchar(NL);

	    va_end(ap);

	

	    nn_exit(n);

	    /*NOTREACHED*/

	}

	

SOLUTION

	The developer fixed this vulnerability in NN version  6.6.4,  which  can
	be downloaded from here:
	

	http://www.nndev.org/