COMMAND

	newsreader nn remote format string vulnerability

SYSTEMS AFFECTED

	nn 6.6.3 or prior

PROBLEM

	In zillion [zillion@snosoft.com] Safemode.org security advisory :
	
	Malicious server owners can use this vulnerability to  execute  code  on
	systems that are connected with affected clients.
	
	A server response such as this can be used to trigger this issue:
	
	100 AAAABBBB%10\$x%11\$x
	
	If such  a  response  is  received,  the  nn  client  will  display  the
	following:
	
	100 AAAABBBB4141414142424242
	
	The problem  is  that  the  following  function  is  being  called  with
	nn_exitmsg(1, line) in the nntp.c file
	
	void nn_exitmsg(int n, char *fmt,...)
	{
	    va_list     ap;
	
	    va_start(ap, fmt);
	    vprintf(fmt, ap);
	    putchar(NL);
	    va_end(ap);
	
	    nn_exit(n);
	    /*NOTREACHED*/
	}
	

SOLUTION

	The developer fixed this vulnerability in NN version  6.6.4,  which  can
	be downloaded from here:
	
	http://www.nndev.org/