From owner-freebsd-ports-bugs@FreeBSD.ORG  Thu Jun 29 14:51:09 2006
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A8C3A16A412
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu, 29 Jun 2006 14:51:09 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 060C143EAE
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu, 29 Jun 2006 14:50:16 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5TEoF7k074815
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Thu, 29 Jun 2006 14:50:15 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5TEoFpN074814;
	Thu, 29 Jun 2006 14:50:15 GMT (envelope-from gnats)
Resent-Date: Thu, 29 Jun 2006 14:50:15 GMT
Resent-Message-Id: <200606291450.k5TEoFpN074814@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, jpd@dsb.tudelft.nl
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C775C16A494;
	Thu, 29 Jun 2006 14:40:41 +0000 (UTC)
	(envelope-from jpd@vvtp.tudelft.nl)
Received: from vvtp.tudelft.nl (vvtp.tn.tudelft.nl [130.161.252.29])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CA62E44019;
	Thu, 29 Jun 2006 14:04:59 +0000 (GMT)
	(envelope-from jpd@vvtp.tudelft.nl)
Received: from jpd by vvtp.tudelft.nl with local (Exim 4.50)
	id 1Fvx8U-0003fz-7G; Thu, 29 Jun 2006 16:04:50 +0200
Message-Id: <20060629140450.GA12971@vvtp.tudelft.nl>
Date: Thu, 29 Jun 2006 16:04:50 +0200
From: jpd@dsb.tudelft.nl
Sender: "J.P. Dinger" <jpd@vvtp.tudelft.nl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: udo.schweigert@siemens.com, security-officer@FreeBSD.org
Subject: ports/99610: [patch] mutt imap browse buffer overlow;
	patch from the mutt repository
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: jpd@dsb.tudelft.nl
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2006 14:51:09 -0000


>Number:         99610
>Category:       ports
>Synopsis:       [patch] Mutt imap browse buffer overlow; patch from the mutt repository
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 29 14:50:14 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        FreeBSD 5.4-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD prozac.local 5.4-RELEASE-p4 FreeBSD 5.4-RELEASE-p4 #0: Mon Aug 8 11:02:29 CEST 2005 root@prozac.local:/usr/src/sys/i386/compile/PROZACII i386

ports/mail/mutt 1.4.2.1

>Description:
Quoting http://www.securityfocus.com/bid/18642

  Mutt is prone to a remote buffer-overflow vulnerability. This
  issue is due to the application's failure to properly bounds-check
  user-supplied input before copying it to an insufficiently sized
  memory buffer.

  This issue may allow remote attackers to execute arbitrary machine
  code in the context of the affected application. Failed exploit
  attempts will likely crash the application, denying further service to
  legitimate users.

  Mutt version 1.4.2.1 is reported to be vulnerable. Other versions may
  be affected as well.

>How-To-Repeat:
>Fix:
The following is a patch taken from the mutt source repository, and
minimally adapted to work with the ports framework. Afterward, mutt
runs. I have verified neither the problem nor whether this fixes it.

From: brendan <brendan>
Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540

  From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
  
  Fix browse_get_namespace() which could overflow ns[LONG_STRING].
  (Possible remote vulnerability)
---

--- imap/browse.c.orig
+++ imap/browse.c
@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
 	    if (*s == '\"')
 	    {
 	      s++;
-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
 	      {
 		if (*s == '\\')
 		  s++;
@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
 		s++;
 	    }
 	    else
-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
 	      {
 		ns[n++] = *s;
 		s++;
 	      }
 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
 	    /* delim? */
 	    s = imap_next_word (s);
 	    /* delimiter is meaningless if namespace is "". Why does

>Release-Note:
>Audit-Trail:
>Unformatted: