Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Dec 2015 14:33:32 +0000 (UTC)
From:      Hajimu UMEMOTO <ume@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r402745 - in head/mail/cyrus-imapd24: . files
Message-ID:  <201512011433.tB1EXWB4073432@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ume
Date: Tue Dec  1 14:33:31 2015
New Revision: 402745
URL: https://svnweb.freebsd.org/changeset/ports/402745

Log:
  Apply upstream patches to fix CVE-2015-8077 and CVE-2015-8078.
  
  Obtained from:	https://cyrus.foundation/cyrus-imapd/patch/?id=745e161c834f1eb6d62fc14477f51dae799e1e08,
  		https://cyrus.foundation/cyrus-imapd/patch/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2
  MFH:		2015Q4
  Security:	d62ec98e-97d8-11e5-8c0e-080027b00c2e

Added:
  head/mail/cyrus-imapd24/files/patch-CVE-2015-8077   (contents, props changed)
  head/mail/cyrus-imapd24/files/patch-CVE-2015-8078   (contents, props changed)
Modified:
  head/mail/cyrus-imapd24/Makefile

Modified: head/mail/cyrus-imapd24/Makefile
==============================================================================
--- head/mail/cyrus-imapd24/Makefile	Tue Dec  1 14:30:48 2015	(r402744)
+++ head/mail/cyrus-imapd24/Makefile	Tue Dec  1 14:33:31 2015	(r402745)
@@ -2,7 +2,7 @@
 
 PORTNAME=	cyrus-imapd
 PORTVERSION=	2.4.18
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	mail ipv6
 MASTER_SITES=	ftp://ftp.cyrusimap.org/cyrus-imapd/ \
 		http://cyrusimap.org/releases/

Added: head/mail/cyrus-imapd24/files/patch-CVE-2015-8077
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/mail/cyrus-imapd24/files/patch-CVE-2015-8077	Tue Dec  1 14:33:31 2015	(r402745)
@@ -0,0 +1,40 @@
+From 745e161c834f1eb6d62fc14477f51dae799e1e08 Mon Sep 17 00:00:00 2001
+From: ellie timoney <ellie@fastmail.com>
+Date: Mon, 26 Oct 2015 16:15:40 +1100
+Subject: urlfetch: protect against overflow in range checks
+
+
+--- imap/index.c.orig	2015-07-06 03:38:29 UTC
++++ imap/index.c
+@@ -2712,7 +2712,8 @@ int index_urlfetch(struct index_state *s
+     int fetchmime = 0, domain = DOMAIN_7BIT;
+     unsigned size;
+     int32_t skip = 0;
+-    int n, r = 0;
++    unsigned long n;
++    int r = 0;
+     char *decbuf = NULL;
+     struct mailbox *mailbox = state->mailbox;
+     struct index_map *im = &state->map[msgno-1];
+@@ -2849,7 +2850,7 @@ int index_urlfetch(struct index_state *s
+         start_octet = size;
+         n = 0;
+     }
+-    else if (start_octet + n > size) {
++    else if (start_octet + n < start_octet || start_octet + n > size) {
+         n = size - start_octet;
+     }
+ 
+@@ -2861,10 +2862,10 @@ int index_urlfetch(struct index_state *s
+ 
+ 	if (domain == DOMAIN_BINARY) {
+ 	    /* Write size of literal8 */
+-	    prot_printf(pout, " ~{%u}\r\n", n);
++	    prot_printf(pout, " ~{%lu}\r\n", n);
+ 	} else {
+ 	    /* Write size of literal */
+-	    prot_printf(pout, " {%u}\r\n", n);
++	    prot_printf(pout, " {%lu}\r\n", n);
+ 	}
+     }
+ 

Added: head/mail/cyrus-imapd24/files/patch-CVE-2015-8078
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/mail/cyrus-imapd24/files/patch-CVE-2015-8078	Tue Dec  1 14:33:31 2015	(r402745)
@@ -0,0 +1,23 @@
+From 6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 Mon Sep 17 00:00:00 2001
+From: ellie timoney <ellie@fastmail.com>
+Date: Mon, 26 Oct 2015 16:21:01 +1100
+Subject: urlfetch: and the other bit
+
+
+diff --git a/imap/index.c b/imap/index.c
+index f5161cd..da8ce3d 100644
+--- imap/index.c
++++ imap/index.c
+@@ -4244,7 +4244,8 @@ EXPORTED int index_urlfetch(struct index_state *state, uint32_t msgno,
+         size_t section_offset = CACHE_ITEM_BIT32(cacheitem);
+         size_t section_size = CACHE_ITEM_BIT32(cacheitem + CACHE_ITEM_SIZE_SKIP);
+ 
+-        if (section_offset + section_size > size) {
++        if (section_offset + section_size < section_offset
++            || section_offset + section_size > size) {
+             r = IMAP_INTERNAL;
+             goto done;
+         }
+-- 
+cgit v0.10.2
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201512011433.tB1EXWB4073432>