ports/99610: [patch] mutt imap browse buffer overlow; patch from the mutt repository
jpd at dsb.tudelft.nl
jpd at dsb.tudelft.nl
Thu Jun 29 14:51:09 UTC 2006
>Number: 99610
>Category: ports
>Synopsis: [patch] Mutt imap browse buffer overlow; patch from the mutt repository
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 29 14:50:14 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:
>Release: FreeBSD 5.4-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD prozac.local 5.4-RELEASE-p4 FreeBSD 5.4-RELEASE-p4 #0: Mon Aug 8 11:02:29 CEST 2005 root at prozac.local:/usr/src/sys/i386/compile/PROZACII i386
ports/mail/mutt 1.4.2.1
>Description:
Quoting http://www.securityfocus.com/bid/18642
Mutt is prone to a remote buffer-overflow vulnerability. This
issue is due to the application's failure to properly bounds-check
user-supplied input before copying it to an insufficiently sized
memory buffer.
This issue may allow remote attackers to execute arbitrary machine
code in the context of the affected application. Failed exploit
attempts will likely crash the application, denying further service to
legitimate users.
Mutt version 1.4.2.1 is reported to be vulnerable. Other versions may
be affected as well.
>How-To-Repeat:
>Fix:
The following is a patch taken from the mutt source repository, and
minimally adapted to work with the ports framework. Afterward, mutt
runs. I have verified neither the problem nor whether this fixes it.
From: brendan <brendan>
Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
Subject: From: TAKAHASHI Tamotsu <tamo at momonga-linux.org>
X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540
From: TAKAHASHI Tamotsu <tamo at momonga-linux.org>
Fix browse_get_namespace() which could overflow ns[LONG_STRING].
(Possible remote vulnerability)
---
--- imap/browse.c.orig
+++ imap/browse.c
@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
if (*s == '\"')
{
s++;
- while (*s && *s != '\"')
+ while (*s && *s != '\"' && n < sizeof (ns) - 1)
{
if (*s == '\\')
s++;
@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
s++;
}
else
- while (*s && !ISSPACE (*s))
+ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
{
ns[n++] = *s;
s++;
}
ns[n] = '\0';
+ if (n == sizeof (ns) - 1)
+ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
/* delim? */
s = imap_next_word (s);
/* delimiter is meaningless if namespace is "". Why does
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list