Date: Sun, 7 May 2000 11:29:27 +0300 (EEST) From: Adrian Penisoara <ady@warpnet.ro> To: Kris Kennaway <kris@FreeBSD.org> Cc: Warner Losh <imp@village.org>, security-officer@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: port update: mail/imap-uw from 4.7c1 to 4.7c2 Message-ID: <Pine.BSF.4.10.10005071113350.11460-100000@ady.warpnet.ro> In-Reply-To: <Pine.BSF.4.21.0005061423210.14022-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On Sat, 6 May 2000, Kris Kennaway wrote:
> On Sat, 6 May 2000, Adrian Penisoara wrote:
>
> > The author released yet another small update which fixes additional
> > buffer overflows in dummy.c and env_unix.c in src/osdep/unix.
>
> I didn't get the chance to look at this port yet, but given the above I'm
> inclined to keep the port FORBIDDEN for a while longer and give the author
> time to finish fixing whatever other security holes he can find. The only
> question is really how hard he's going to look for them.
>
> The alternative is reissuing advisories every time saying "whoops, the
> imap-uw port is insecure again".."now it's fixed".."oops, it's still
> insecure"
>
> Comments?
You've got a point here; besides these fixes are pretty weird, just look
at these diffs between 4.7c1 and 4.7c2:
diff -ru imap-4.7c1/src/osdep/unix/dummy.c imap-4.7c2/src/osdep/unix/dummy.c
--- imap-4.7c1/src/osdep/unix/dummy.c Thu Oct 7 23:29:30 1999
+++ imap-4.7c2/src/osdep/unix/dummy.c Wed May 3 20:34:29 2000
@@ -263,9 +263,10 @@
dummy_listed (stream,'/',dir,LATT_NOSELECT,contents);
/* scan directory, ignore . and .. */
if (!dir || dir[strlen (dir) - 1] == '/') while (d = readdir (dp))
- if ((d->d_name[0] != '.') ||
- (d->d_name[1] && (((d->d_name[1] != '.') || d->d_name[2]) &&
- strcmp (d->d_name+1,MXINDEXNAME+2)))) {
+ if (((d->d_name[0] != '.') ||
+ (d->d_name[1] && (((d->d_name[1] != '.') || d->d_name[2]) &&
+ strcmp (d->d_name+1,MXINDEXNAME+2)))) &&
+ (strlen (d->d_name) <= NETMAXMBX)) {
/* see if name is useful */
if (dir) sprintf (tmp,"%s%s",dir,d->d_name);
else strcpy (tmp,d->d_name);
diff -ru imap-4.7c1/src/osdep/unix/env_unix.c imap-4.7c2/src/osdep/unix/env_unix.c
--- imap-4.7c1/src/osdep/unix/env_unix.c Thu Jan 20 22:12:55 2000
+++ imap-4.7c2/src/osdep/unix/env_unix.c Wed May 3 20:33:01 2000
@@ -660,9 +660,15 @@
{
char tmp[MAILTMPLEN];
if (dir || name) { /* if either argument provided */
- if (dir) strcpy (tmp,dir); /* write directory prefix */
+ if (dir) {
+ if (strlen (dir) > NETMAXMBX) return NIL;
+ strcpy (tmp,dir); /* write directory prefix */
+ }
else tmp[0] = '\0'; /* otherwise null string */
- if (name) strcat (tmp,name);/* write name in directory */
+ if (name) {
+ if (strlen (name) > NETMAXMBX) return NIL;
+ strcat (tmp,name); /* write name in directory */
+ }
/* validate name, return its name */
if (!mailboxfile (dst,tmp)) return NIL;
}
@@ -682,7 +688,8 @@
char *dir = myhomedir ();
*dst = '\0'; /* default to empty string */
/* check invalid name */
- if (!name || !*name || (*name == '{')) return NIL;
+ if (!name || !*name || (*name == '{') || (strlen (name) > NETMAXMBX))
+ return NIL;
/* check for INBOX */
if (((name[0] == 'I') || (name[0] == 'i')) &&
((name[1] == 'N') || (name[1] == 'n')) &&
I wonder if we'll see any s* functiontions replaced with sn*
counterparts; or maybe this is about compatibility between Unix versions?
Hmmm, shouldn't it be the time for a OpenIMAPd project to appear ? ;-)...
Ady (@freebsd.ady.ro)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10005071113350.11460-100000>