From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Jul 1 21:03:54 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E28FC16A518 for ; Sat, 1 Jul 2006 21:03:53 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D55ED453E0 for ; Sat, 1 Jul 2006 20:40:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k61KeGIT021512 for ; Sat, 1 Jul 2006 20:40:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k61KeGPc021511; Sat, 1 Jul 2006 20:40:16 GMT (envelope-from gnats) Resent-Date: Sat, 1 Jul 2006 20:40:16 GMT Resent-Message-Id: <200607012040.k61KeGPc021511@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Shaun Amott Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15D8D16A518 for ; Sat, 1 Jul 2006 20:30:46 +0000 (UTC) (envelope-from shaun@inerd.com) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id 134C2452E5 for ; Sat, 1 Jul 2006 20:11:33 +0000 (GMT) (envelope-from shaun@inerd.com) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP for ; Sat, 1 Jul 2006 21:11:32 +0100 (BST) Message-Id: <1151784692.15503@charon.picobyte.net> Date: Sat, 1 Jul 2006 21:11:32 +0100 From: Shaun Amott To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/99698: japanese/mutt-devel: Fix IMAP buffer overflow vulnerability X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Shaun Amott List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2006 21:03:54 -0000 >Number: 99698 >Category: ports >Synopsis: japanese/mutt-devel: Fix IMAP buffer overflow vulnerability >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jul 01 20:40:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Shaun Amott >Release: FreeBSD 6.1-STABLE i386 >Organization: >Environment: >Description: Add patch to fix IMAP buffer overflow vulnerability: http://www.vuxml.org/freebsd/d2a43243-087b-11db-bc36-0008743bf21a.html >How-To-Repeat: >Fix: --- mutt-devel.diff begins here --- Index: Makefile =================================================================== RCS file: /home/pcvs/ports/japanese/mutt-devel/Makefile,v retrieving revision 1.59 diff -u -r1.59 Makefile --- Makefile 9 May 2006 00:18:01 -0000 1.59 +++ Makefile 1 Jul 2006 20:06:41 -0000 @@ -9,7 +9,7 @@ PORTNAME= mutt-devel PORTVERSION= ${VERSION}.j${JP_VERSION} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= japanese mail MASTER_SITES= http://www.emaillab.org/mutt/1.5/ \ http://my.reset.jp/~iwashita/mutt/distfiles/ \ Index: files/patch-imap_browse.c =================================================================== RCS file: files/patch-imap_browse.c diff -N files/patch-imap_browse.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-imap_browse.c 1 Jul 2006 20:06:41 -0000 @@ -0,0 +1,27 @@ +--- imap/browse.c.orig Wed Nov 5 09:41:36 2003 ++++ imap/browse.c Sat Jul 1 20:47:53 2006 +@@ -452,7 +452,7 @@ + if (*s == '\"') + { + s++; +- while (*s && *s != '\"') ++ while (*s && *s != '\"' && n < sizeof (ns) - 1) + { + if (*s == '\\') + s++; +@@ -463,12 +463,14 @@ + s++; + } + else +- while (*s && !ISSPACE (*s)) ++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) + { + ns[n++] = *s; + s++; + } + ns[n] = '\0'; ++ if (n == sizeof (ns) - 1) ++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); + /* delim? */ + s = imap_next_word (s); + /* delimiter is meaningless if namespace is "". Why does --- mutt-devel.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: