Date: Sat, 3 Nov 2007 20:54:35 +0100 (CET) From: Thomas Vogt <thomas@bsdunix.ch> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/117796: [security update] mail/perdition to 1.17.1 Message-ID: <200711031954.lA3JsZU4099584@bert.mlan.solnet.ch> Resent-Message-ID: <200711032120.lA3LK1K0005331@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 117796 >Category: ports >Synopsis: [security update] mail/perdition to 1.17.1 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Nov 03 21:20:00 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Thomas Vogt >Release: FreeBSD 7.0-BETA1 i386 >Organization: >Environment: System: FreeBSD bert.mlan.solnet.ch 7.0-BETA1 FreeBSD 7.0-BETA1 #8: Sat Oct 20 00:36:10 CEST 2007 root@bert.mlan.solnet.ch:/usr/obj/usr/src/sys/BERT i386 >Description: Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication. Vulnerable versions: Perdition <= 1.17 >How-To-Repeat: Example: perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143 if you got NO error message you are vulnerable. More information: http://www.sec-consult.com/300.html >Fix: Update to 1.17.1 diff -ruN perdition.orig/Makefile perdition/Makefile --- perdition.orig/Makefile 2007-08-10 15:49:44.000000000 +0200 +++ perdition/Makefile 2007-11-02 23:11:43.000000000 +0100 @@ -6,7 +6,7 @@ # PORTNAME= perdition -PORTVERSION= 1.17 +PORTVERSION= 1.17.1 CATEGORIES= mail net security MASTER_SITES= http://www.vergenet.net/linux/perdition/download/${PORTVERSION}/ @@ -31,7 +31,7 @@ MAKE_ENV+= DOCSDIR=${DOCSDIR} CONFIGURE_ARGS+= --disable-daemon-map -INSTALLS_SHLIB= yes +USE_LDCONFIG= yes ## ## Available knobs: @@ -122,7 +122,9 @@ .if defined(WITH_OPENLDAP) USE_OPENLDAP= YES -CONFIGURE_ARGS+= --enable-ldap --with-ldap-schema-directory=${LOCALBASE}/etc/openldap/schema/ +CONFIGURE_ARGS+= --enable-ldap \ + --with-ldap-schema-directory=${LOCALBASE}/etc/openldap/schema/ \ + --disable-ldap-doc PLIST_SUB+= OPENLDAP="" MAN8+= perditiondb_ldap_makedb.8 .else diff -ruN perdition.orig/distinfo perdition/distinfo --- perdition.orig/distinfo 2005-12-19 11:06:19.000000000 +0100 +++ perdition/distinfo 2007-11-02 15:36:44.000000000 +0100 @@ -1,3 +1,3 @@ -MD5 (perdition-1.17.tar.gz) = 6cef90e55bde9eb2d0a17acccb3516f3 -SHA256 (perdition-1.17.tar.gz) = 38f1bfe1cb7db8b16fc6a3febc293460b6a5ae49312c6a08b757c89b1ae73879 -SIZE (perdition-1.17.tar.gz) = 552149 +MD5 (perdition-1.17.1.tar.gz) = 5464c517f8be810519b6187b694c9d98 +SHA256 (perdition-1.17.1.tar.gz) = e2abd57aa76b106591056ef835e26816c71c3b39dc55bc3aeba6dfeefac7af26 +SIZE (perdition-1.17.1.tar.gz) = 638162 diff -ruN perdition.orig/pkg-plist perdition/pkg-plist --- perdition.orig/pkg-plist 2004-06-02 10:11:06.000000000 +0200 +++ perdition/pkg-plist 2007-11-02 23:16:43.000000000 +0100 @@ -9,6 +9,7 @@ etc/perdition/popmap-dist etc/perdition/Makefile.popmap-dist etc/perdition/Makefile +etc/pam.d/perdition include/jain.h lib/libjain.so.0 lib/libjain.so This files are diffs are from the perdition src code and should go to ports/mail/perdition/files. This are NOT diffs agains old perdition/files/* --- etc/Makefile.in.orig 2007-11-02 15:37:51.000000000 +0100 +++ etc/Makefile.in 2007-11-02 15:38:45.000000000 +0100 @@ -78,7 +78,7 @@ distclean-recursive maintainer-clean-recursive ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = perdition pam.d rc.d sysconfig +DIST_SUBDIRS = perdition DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ --- etc/perdition/Makefile.in.orig 2007-11-02 15:40:32.000000000 +0100 +++ etc/perdition/Makefile.in 2007-11-02 15:45:43.000000000 +0100 @@ -259,16 +259,16 @@ @list='$(perditionconf_DATA)'; for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ f=$(am__strip_dir) \ - echo " $(perditionconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(perditionconfdir)/$$f'"; \ - $(perditionconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(perditionconfdir)/$$f"; \ + echo " $(perditionconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(perditionconfdir)/$$f-dist'"; \ + $(perditionconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(perditionconfdir)/$$f-dist"; \ done uninstall-perditionconfDATA: @$(NORMAL_UNINSTALL) @list='$(perditionconf_DATA)'; for p in $$list; do \ f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(perditionconfdir)/$$f'"; \ - rm -f "$(DESTDIR)$(perditionconfdir)/$$f"; \ + echo " rm -f '$(DESTDIR)$(perditionconfdir)/$$f-dist'"; \ + rm -f "$(DESTDIR)$(perditionconfdir)/$$f-dist"; \ done tags: TAGS TAGS: --- makebdb/Makefile.in.orig 2007-11-02 15:47:34.000000000 +0100 +++ makebdb/Makefile.in 2007-11-02 15:48:33.000000000 +0100 @@ -231,7 +231,7 @@ options.c \ options.h -makebdb_LDADD = -L../libjain -L../libjain/.libs/ -ljain -ldb -lpopt \ +makebdb_LDADD = -L../libjain -L../libjain/.libs/ -ljain -ldb3 -lpopt \ @dmalloc_lib@ INCLUDES = -I$(top_srcdir)/libjain --- perdition/Makefile.in.orig Tue Dec 6 16:08:58 2005 +++ perdition/Makefile.in Tue Dec 6 16:09:36 2005 @@ -560,8 +560,6 @@ for i in pop3 pop3s imap4 imap4s imaps; do \ (cd $(DESTDIR)$(sbindir) && rm -f perdition.$$i && \ ln -sf perdition perdition.$$i); \ - (cd $(DESTDIR)$(mandir)/man8 && rm -f perdition.$$i && \ - ln -sf perdition.8 perdition.$$i.8); \ done uninstall-local: --- perdition/db/bdb/Makefile.in.orig 2007-11-02 15:49:39.000000000 +0100 +++ perdition/db/bdb/Makefile.in 2007-11-02 15:50:20.000000000 +0100 @@ -235,7 +235,7 @@ perditiondb_bdb.h libperditiondb_bdb_la_LDFLAGS = -version-info 0:0:0 -libperditiondb_bdb_la_LIBADD = -ldb +libperditiondb_bdb_la_LIBADD = -ldb3 INCLUDES = \ -I$(top_srcdir)/ \ -I$(top_srcdir)/perdition \ --- perdition/db/posix_regex/Makefile.in.orig 2007-11-02 15:53:56.000000000 +0100 +++ perdition/db/posix_regex/Makefile.in 2007-11-02 15:55:31.000000000 +0100 @@ -355,16 +355,16 @@ @list='$(conf_DATA)'; for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ f=$(am__strip_dir) \ - echo " $(confDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(confdir)/$$f'"; \ - $(confDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(confdir)/$$f"; \ + echo " $(confDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(confdir)/$$f-dist'"; \ + $(confDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(confdir)/$$f-dist"; \ done uninstall-confDATA: @$(NORMAL_UNINSTALL) @list='$(conf_DATA)'; for p in $$list; do \ f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(confdir)/$$f'"; \ - rm -f "$(DESTDIR)$(confdir)/$$f"; \ + echo " rm -f '$(DESTDIR)$(confdir)/$$f-dist'"; \ + rm -f "$(DESTDIR)$(confdir)/$$f-dist"; \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) Please delete this patches in /files: patch-perdition::db::daemon::Makefile.in (not necessary anymore) patch-perdition::Makefile.in (replaced by new patch-perdition-Makefile.in) patch-perdition-db-ldap-perditiondb_ldap (not necessary anymore) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711031954.lA3JsZU4099584>