ports/99698: japanese/mutt-devel: Fix IMAP buffer overflow vulnerability

Shaun Amott shaun at FreeBSD.org
Sat Jul 1 21:03:54 UTC 2006 

>Number:         99698
>Category:       ports
>Synopsis:       japanese/mutt-devel: Fix IMAP buffer overflow vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 01 20:40:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Shaun Amott
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
>Environment:

>Description:

Add patch to fix IMAP buffer overflow vulnerability:
  http://www.vuxml.org/freebsd/d2a43243-087b-11db-bc36-0008743bf21a.html

>How-To-Repeat:

>Fix:

--- mutt-devel.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/japanese/mutt-devel/Makefile,v
retrieving revision 1.59
diff -u -r1.59 Makefile
--- Makefile	9 May 2006 00:18:01 -0000	1.59
+++ Makefile	1 Jul 2006 20:06:41 -0000
@@ -9,7 +9,7 @@
 
 PORTNAME=	mutt-devel
 PORTVERSION=	${VERSION}.j${JP_VERSION}
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	japanese mail
 MASTER_SITES=	http://www.emaillab.org/mutt/1.5/ \
 		http://my.reset.jp/~iwashita/mutt/distfiles/ \
Index: files/patch-imap_browse.c
===================================================================
RCS file: files/patch-imap_browse.c
diff -N files/patch-imap_browse.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-imap_browse.c	1 Jul 2006 20:06:41 -0000
@@ -0,0 +1,27 @@
+--- imap/browse.c.orig	Wed Nov  5 09:41:36 2003
++++ imap/browse.c	Sat Jul  1 20:47:53 2006
+@@ -452,7 +452,7 @@
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -463,12 +463,14 @@
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
--- mutt-devel.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list