Date: Sat, 1 Jul 2006 21:10:05 +0100 From: Shaun Amott <shaun@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/99700: japanese/mutt: Fix IMAP buffer overflow vulnerability Message-ID: <1151784605.15417@charon.picobyte.net> Resent-Message-ID: <200607012110.k61LAKVM022997@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 99700 >Category: ports >Synopsis: japanese/mutt: Fix IMAP buffer overflow vulnerability >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jul 01 21:10:20 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Shaun Amott >Release: FreeBSD 6.1-STABLE i386 >Organization: >Environment: >Description: Add patch to fix IMAP buffer overflow vulnerability: http://www.vuxml.org/freebsd/d2a43243-087b-11db-bc36-0008743bf21a.html >How-To-Repeat: >Fix: --- mutt.diff begins here --- Index: Makefile =================================================================== RCS file: /home/pcvs/ports/japanese/mutt/Makefile,v retrieving revision 1.36 diff -u -r1.36 Makefile --- Makefile 9 May 2006 00:18:01 -0000 1.36 +++ Makefile 1 Jul 2006 20:06:28 -0000 @@ -9,7 +9,7 @@ PORTNAME= mutt PORTVERSION= ${VERSION}.j${JP_VERSION} -#PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= japanese mail MASTER_SITES= http://www.emaillab.org/mutt/1.4/ \ http://my.reset.jp/~iwashita/mutt/distfiles/ \ Index: files/patch-imap_browse.c =================================================================== RCS file: files/patch-imap_browse.c diff -N files/patch-imap_browse.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-imap_browse.c 1 Jul 2006 20:06:28 -0000 @@ -0,0 +1,27 @@ +--- imap/browse.c.orig Tue Feb 26 10:38:56 2002 ++++ imap/browse.c Sat Jul 1 20:18:02 2006 +@@ -452,7 +452,7 @@ + if (*s == '\"') + { + s++; +- while (*s && *s != '\"') ++ while (*s && *s != '\"' && n < sizeof (ns) - 1) + { + if (*s == '\\') + s++; +@@ -463,12 +463,14 @@ + s++; + } + else +- while (*s && !ISSPACE (*s)) ++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) + { + ns[n++] = *s; + s++; + } + ns[n] = '\0'; ++ if (n == sizeof (ns) - 1) ++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); + /* delim? */ + s = imap_next_word (s); + /* delimiter is meaningless if namespace is "". Why does --- mutt.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1151784605.15417>