From owner-freebsd-security Thu Jul 30 04:42:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA24630 for freebsd-security-outgoing; Thu, 30 Jul 1998 04:42:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cons.org (knight.cons.org [194.233.237.86]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA24623; Thu, 30 Jul 1998 04:42:13 -0700 (PDT) (envelope-from cracauer@cons.org) Received: (from cracauer@localhost) by cons.org (8.8.8/8.7.3) id NAA12444; Thu, 30 Jul 1998 13:42:02 +0200 (CEST) Message-ID: <19980730134201.A12433@cons.org> Date: Thu, 30 Jul 1998 13:42:01 +0200 From: Martin Cracauer To: obrien@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: mutt security fix Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David, [CC to -security for those hwo care] This is from http://paul.boehm.org/mutt-parse.patch. It fixes a remotly exploitable buffer overrun in MIME subtype checking. As the mutt folks didn't react yet, I suggest you commit it to the mutt port. --- parse.c.old Tue Jul 28 18:25:50 1998 +++ parse.c Tue Jul 28 18:25:56 1998 @@ -268,7 +268,7 @@ if ((pc = strchr(s, '/'))) { *pc++ = 0; - while (*pc && !ISSPACE (*pc) && *pc != ';') + while (*pc && !ISSPACE (*pc) && *pc != ';' && i < (SHORT_STRING - 1)) { buffer[i++] = *pc; pc++; -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer cracauer@wavehh.hanse.de (batched, preferred for large mails) Tel.: (private) +4940 5221829 Fax.: (private) +4940 5228536 Paper: (private) Waldstrasse 200, 22846 Norderstedt, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message