Date: Thu, 29 Jun 2006 16:04:50 +0200 From: jpd@dsb.tudelft.nl To: FreeBSD-gnats-submit@FreeBSD.org Cc: udo.schweigert@siemens.com, security-officer@FreeBSD.org Subject: ports/99610: [patch] mutt imap browse buffer overlow; patch from the mutt repository Message-ID: <20060629140450.GA12971@vvtp.tudelft.nl> Resent-Message-ID: <200606291450.k5TEoFpN074814@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 99610 >Category: ports >Synopsis: [patch] Mutt imap browse buffer overlow; patch from the mutt repository >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 29 14:50:14 GMT 2006 >Closed-Date: >Last-Modified: >Originator: >Release: FreeBSD 5.4-RELEASE-p4 i386 >Organization: >Environment: System: FreeBSD prozac.local 5.4-RELEASE-p4 FreeBSD 5.4-RELEASE-p4 #0: Mon Aug 8 11:02:29 CEST 2005 root@prozac.local:/usr/src/sys/i386/compile/PROZACII i386 ports/mail/mutt 1.4.2.1 >Description: Quoting http://www.securityfocus.com/bid/18642 Mutt is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. This issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying further service to legitimate users. Mutt version 1.4.2.1 is reported to be vulnerable. Other versions may be affected as well. >How-To-Repeat: >Fix: The following is a patch taken from the mutt source repository, and minimally adapted to work with the ports framework. Afterward, mutt runs. I have verified neither the problem nor whether this fixes it. From: brendan <brendan> Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000) Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org> X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540 From: TAKAHASHI Tamotsu <tamo@momonga-linux.org> Fix browse_get_namespace() which could overflow ns[LONG_STRING]. (Possible remote vulnerability) --- --- imap/browse.c.orig +++ imap/browse.c @@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA if (*s == '\"') { s++; - while (*s && *s != '\"') + while (*s && *s != '\"' && n < sizeof (ns) - 1) { if (*s == '\\') s++; @@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA s++; } else - while (*s && !ISSPACE (*s)) + while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) { ns[n++] = *s; s++; } ns[n] = '\0'; + if (n == sizeof (ns) - 1) + dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); /* delim? */ s = imap_next_word (s); /* delimiter is meaningless if namespace is "". Why does >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060629140450.GA12971>