[prev in list] [next in list] [prev in thread] [next in thread]
List: openpkg-cvs
Subject: [CVS] OpenPKG: OPENPKG_2_1_SOLID: openpkg-src/imapd/ imapd.patch imapd...
From: "Thomas Lotterer" <thl () openpkg ! org>
Date: 2004-11-29 15:35:00
Message-ID: 20041129153500.0E3E1300212 () mail ! openpkg ! org
[Download RAW message or body]
OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: thl@openpkg.org
Module: openpkg-src Date: 29-Nov-2004 16:35:00
Branch: OPENPKG_2_1_SOLID Handle: 2004112915350000
Modified files: (Branch: OPENPKG_2_1_SOLID)
openpkg-src/imapd imapd.patch imapd.spec
Log:
SA-2004.051-imapd; CAN-2004-1011, CAN-2004-1012, CAN-2004-1013,
CAN-2004-1015 and more
Summary:
Revision Changes Path
1.11.2.1 +140 -1 openpkg-src/imapd/imapd.patch
1.122.2.2 +1 -1 openpkg-src/imapd/imapd.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/imapd/imapd.patch
============================================================================
$ cvs diff -u -r1.11 -r1.11.2.1 imapd.patch
--- openpkg-src/imapd/imapd.patch 28 Mar 2004 21:48:01 -0000 1.11
+++ openpkg-src/imapd/imapd.patch 29 Nov 2004 15:35:00 -0000 1.11.2.1
@@ -41,7 +41,7 @@
+++ perl/sieve/lib/isieve.c 2004-02-02 20:01:21.000000000 +0100
@@ -41,9 +41,7 @@
- /* $Id: imapd.patch,v 1.11 2004/03/28 21:48:01 thl Exp $ */
+ /* $Id: imapd.patch,v 1.11.2.1 2004/11/29 15:35:00 thl Exp $ */
-#ifdef HAVE_CONFIG_H
-#include <config.h>
@@ -92,3 +92,142 @@
namelen = cp - name;
+Assembled from Pine.LNX.4.58.0411231531110.2382@wotan.suse.de
+Discussion between Stefan Esser, Derrick J Brashear and Sebastian Krahmer
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011
+ Cyrus IMAP Server - IMAPMAGICPLUS preauthentification overflow
+ 2.2.4 - 2.2.8
+--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100
++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100
+@@ -286,6 +286,11 @@
+ if (!ulen) ulen = strlen(user);
+
+ if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {
++ if (ulen > MAX_MAILBOX_NAME) {
++ sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
++ return SASL_BUFOVER;
++ }
++
+ /* make a working copy of the auth[z]id */
+ memcpy(userbuf, user, ulen);
+ userbuf[ulen] = '\0';
+@@ -345,6 +350,11 @@
+
+ /* make a working copy of the authzid */
+ if (!rlen) rlen = strlen(requested_user);
++ if (rlen > MAX_MAILBOX_NAME) {
++ sasl_seterror(conn, 0, "buffer overflow while proxying");
++ return SASL_BUFOVER;
++ }
++
+ memcpy(userbuf, requested_user, rlen);
+ userbuf[rlen] = '\0';
+ requested_user = userbuf;
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012
+ Cyrus IMAP Server - PARTIAL out of bounds memory corruption
+ <= 2.2.6 ([thl: bug exists but] unexploitable in 2.2.7 + 2.2.8)
+--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100
++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100
+@@ -3154,7 +3168,7 @@
+ else if (!strncmp(data, "body[", 5) ||
+ !strncmp(data, "body.peek[", 10)) {
+ p = section = data + 5;
+- if (*p == 'p') {
++ if (!strncmp(p, "peek[", 5)) {
+ p = section += 5;
+ }
+ else {
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013
+ Cyrus IMAP Server - FETCH out of bounds memory corruption
+ <= 2.2.8
+--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100
++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100
+@@ -2770,10 +2784,10 @@
+ int binsize = 0;
+
+ p = section = fetchatt.s + 7;
+- if (*p == 'P') {
++ if (!strncmp(p, "PEEK[", 5)) {
+ p = section += 5;
+ }
+- else if (*p == 'S') {
++ else if (!strncmp(p, "SIZE[", 5)) {
+ p = section += 5;
+ binsize = 1;
+ }
+@@ -2813,7 +2827,7 @@
+ else if (!strncmp(fetchatt.s, "BODY[", 5) ||
+ !strncmp(fetchatt.s, "BODY.PEEK[", 10)) {
+ p = section = fetchatt.s + 5;
+- if (*p == 'P') {
++ if (!strncmp(p, "PEEK[", 5)) {
+ p = section += 5;
+ }
+ else {
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015
+ Proxyd.c contains a IMAPMAGICPLUS overflow in its proxyd_canon_user function
+ <= 2.2.9
+--- imap/proxyd.c.orig 2004-11-23 14:42:37.000000000 +0100
++++ imap/proxyd.c 2004-11-23 15:00:56.000000000 +0100
+@@ -1032,6 +1032,10 @@
+
+ if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {
+ /* make a working copy of the auth[z]id */
++ if (ulen > MAX_MAILBOX_NAME) {
++ sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
++ return SASL_BUFOVER;
++ }
+ memcpy(userbuf, user, ulen);
+ userbuf[ulen] = '\0';
+ user = userbuf;
+@@ -1090,6 +1094,11 @@
+
+ /* make a working copy of the authzid */
+ if (!rlen) rlen = strlen(requested_user);
++
++ if (rlen > MAX_MAILBOX_NAME) {
++ sasl_seterror(conn, 0, "buffer overflow while proxying");
++ return SASL_BUFOVER;
++ }
+ memcpy(userbuf, requested_user, rlen);
+ userbuf[rlen] = '\0';
+ requested_user = userbuf;
+
+missing 0-termination in global.c
+ <= 2.2.10
+--- imap/global.c.orig 2004-11-23 15:01:50.000000000 +0100
++++ imap/global.c 2004-11-23 15:23:53.000000000 +0100
+@@ -427,12 +427,12 @@
+ return SASL_BADAUTH;
+ }
+ *out_ulen = strlen(canonuser);
+- if (*out_ulen > out_max) {
++ if (*out_ulen >= out_max) {
+ sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
+ return SASL_BUFOVER;
+ }
+
+- strncpy(out, canonuser, out_max);
++ strcpy(out, canonuser);
+
+ return SASL_OK;
+ }
+
+intwrap in cmd_append() and post increment glitches
+--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100
++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100
+@@ -3314,7 +3328,8 @@
+ flag = (char **)xrealloc((char *)flag,
+ flagalloc*sizeof(char *));
+ }
+- flag[nflags++] = xstrdup(flagname.s);
++ flag[nflags] = xstrdup(flagname.s);
++ nflags++;
+ }
+
+ flagsparsed++;
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/imapd/imapd.spec
============================================================================
$ cvs diff -u -r1.122.2.1 -r1.122.2.2 imapd.spec
--- openpkg-src/imapd/imapd.spec 2 Jul 2004 15:25:26 -0000 1.122.2.1
+++ openpkg-src/imapd/imapd.spec 29 Nov 2004 15:35:00 -0000 1.122.2.2
@@ -34,7 +34,7 @@
Group: Mail
License: BSD
Version: 2.2.6
-Release: 2.1.0
+Release: 2.1.1
# package options
%option with_fsl yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic