From owner-freebsd-security Sun May 7 1:26:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [194.102.224.1]) by hub.freebsd.org (Postfix) with ESMTP id B4F5A37B6AA; Sun, 7 May 2000 01:26:08 -0700 (PDT) (envelope-from ady@warpnet.ro) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id LAA12112; Sun, 7 May 2000 11:29:28 +0300 (EEST) (envelope-from ady@warpnet.ro) Date: Sun, 7 May 2000 11:29:27 +0300 (EEST) From: Adrian Penisoara To: Kris Kennaway Cc: Warner Losh , security-officer@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: port update: mail/imap-uw from 4.7c1 to 4.7c2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Sat, 6 May 2000, Kris Kennaway wrote: > On Sat, 6 May 2000, Adrian Penisoara wrote: > > > The author released yet another small update which fixes additional > > buffer overflows in dummy.c and env_unix.c in src/osdep/unix. > > I didn't get the chance to look at this port yet, but given the above I'm > inclined to keep the port FORBIDDEN for a while longer and give the author > time to finish fixing whatever other security holes he can find. The only > question is really how hard he's going to look for them. > > The alternative is reissuing advisories every time saying "whoops, the > imap-uw port is insecure again".."now it's fixed".."oops, it's still > insecure" > > Comments? You've got a point here; besides these fixes are pretty weird, just look at these diffs between 4.7c1 and 4.7c2: diff -ru imap-4.7c1/src/osdep/unix/dummy.c imap-4.7c2/src/osdep/unix/dummy.c --- imap-4.7c1/src/osdep/unix/dummy.c Thu Oct 7 23:29:30 1999 +++ imap-4.7c2/src/osdep/unix/dummy.c Wed May 3 20:34:29 2000 @@ -263,9 +263,10 @@ dummy_listed (stream,'/',dir,LATT_NOSELECT,contents); /* scan directory, ignore . and .. */ if (!dir || dir[strlen (dir) - 1] == '/') while (d = readdir (dp)) - if ((d->d_name[0] != '.') || - (d->d_name[1] && (((d->d_name[1] != '.') || d->d_name[2]) && - strcmp (d->d_name+1,MXINDEXNAME+2)))) { + if (((d->d_name[0] != '.') || + (d->d_name[1] && (((d->d_name[1] != '.') || d->d_name[2]) && + strcmp (d->d_name+1,MXINDEXNAME+2)))) && + (strlen (d->d_name) <= NETMAXMBX)) { /* see if name is useful */ if (dir) sprintf (tmp,"%s%s",dir,d->d_name); else strcpy (tmp,d->d_name); diff -ru imap-4.7c1/src/osdep/unix/env_unix.c imap-4.7c2/src/osdep/unix/env_unix.c --- imap-4.7c1/src/osdep/unix/env_unix.c Thu Jan 20 22:12:55 2000 +++ imap-4.7c2/src/osdep/unix/env_unix.c Wed May 3 20:33:01 2000 @@ -660,9 +660,15 @@ { char tmp[MAILTMPLEN]; if (dir || name) { /* if either argument provided */ - if (dir) strcpy (tmp,dir); /* write directory prefix */ + if (dir) { + if (strlen (dir) > NETMAXMBX) return NIL; + strcpy (tmp,dir); /* write directory prefix */ + } else tmp[0] = '\0'; /* otherwise null string */ - if (name) strcat (tmp,name);/* write name in directory */ + if (name) { + if (strlen (name) > NETMAXMBX) return NIL; + strcat (tmp,name); /* write name in directory */ + } /* validate name, return its name */ if (!mailboxfile (dst,tmp)) return NIL; } @@ -682,7 +688,8 @@ char *dir = myhomedir (); *dst = '\0'; /* default to empty string */ /* check invalid name */ - if (!name || !*name || (*name == '{')) return NIL; + if (!name || !*name || (*name == '{') || (strlen (name) > NETMAXMBX)) + return NIL; /* check for INBOX */ if (((name[0] == 'I') || (name[0] == 'i')) && ((name[1] == 'N') || (name[1] == 'n')) && I wonder if we'll see any s* functiontions replaced with sn* counterparts; or maybe this is about compatibility between Unix versions? Hmmm, shouldn't it be the time for a OpenIMAPd project to appear ? ;-)... Ady (@freebsd.ady.ro) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message