ports/74318: version update and security patch to mail/up-imapproxy port
Guy Antony Halse
guy at rucus.net
Wed Nov 24 14:50:33 UTC 2004
>Number: 74318
>Category: ports
>Synopsis: version update and security patch to mail/up-imapproxy port
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 24 14:50:31 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Guy Antony Halse
>Release: FreeBSD 5.3-RELEASE i386
>Organization:
Rhodes University
>Environment:
System: FreeBSD walrus.ru.ac.za 5.3-RELEASE FreeBSD 5.3-RELEASE #8: Sun Nov 7 16:52:41 SAST 2004 guy at walrus.ru.ac.za:/usr/obj/usr/src/sys/WALRUS i386
>Description:
The current version of the mail/up-imapproxy port is out-of-date. It also
contains a security vulnerability that allows a remote users to crash the
daemon, resulting in a denial of service. This vulnerability is detailed in
several places, including
http://www.packetstormsecurity.org/0411-advisories/up-imapproxy.txt,
http://www.securityfocus.com/bid/11630,
http://www.securiteam.com/unixfocus/6V00E20BPM.html, etc.
While there is no patch for the vulnerability available from the original
site (http://www.imapproxy.org/), PacketStorm have made one available at
http://www.packetstormsecurity.org/0411-advisories/up-imapproxy.txt. The
diff in the Fix: section includes this patch with the paths reworked to
apply cleanly.
The Fix: diff also increments the version number to install the latest
available stable version.
>How-To-Repeat:
Nessus's IMAP buffer overrun test (ID #10125) will crash the in.imapproxyd
daemon as will anything that performs the same sort of test.
>Fix:
diff -ruN up-imapproxy.old/Makefile up-imapproxy/Makefile
--- up-imapproxy.old/Makefile Fri Jun 4 19:29:25 2004
+++ up-imapproxy/Makefile Wed Nov 24 16:18:04 2004
@@ -6,11 +6,10 @@
#
PORTNAME= up-imapproxy
-PORTVERSION= 1.2.1
+PORTVERSION= 1.2.2
CATEGORIES= mail
MASTER_SITES= http://www.imapproxy.org/downloads/
DISTNAME= ${PORTNAME}-${PORTVERSION}
-EXTRACT_SUFX= .tar.gz
MAINTAINER= mbr at FreeBSD.org
COMMENT= A caching IMAP proxy server
diff -ruN up-imapproxy.old/Makefile~ up-imapproxy/Makefile~
--- up-imapproxy.old/Makefile~ Thu Jan 1 02:00:00 1970
+++ up-imapproxy/Makefile~ Wed Nov 24 16:18:04 2004
@@ -0,0 +1,41 @@
+# New ports collection makefile for: imapproxy
+# Date created: 11.05.04
+# Whom: Martin Blapp
+#
+# $FreeBSD: ports/mail/up-imapproxy/Makefile,v 1.2 2004/06/04 17:29:25 ade Exp $
+#
+
+PORTNAME= up-imapproxy
+PORTVERSION= 1.2.2
+CATEGORIES= mail
+MASTER_SITES= http://www.imapproxy.org/downloads/
+DISTNAME= ${PORTNAME}-${PORTVERSION}
+EXTRACT_SUFX= .tar.gz
+
+MAINTAINER= mbr at FreeBSD.org
+COMMENT= A caching IMAP proxy server
+
+GNU_CONFIGURE= YES
+USE_AUTOCONF_VER=213
+USE_RC_SUBR= YES
+
+SAMPLE_EXT= sample
+
+.include <bsd.port.pre.mk>
+
+RC_SCRIPTS_SUB= PREFIX=${PREFIX} \
+ RC_SUBR=${RC_SUBR}
+
+post-install:
+ @${SED} ${RC_SCRIPTS_SUB:S/$/!g/:S/^/ -e s!%%/:S/=/%%!/} \
+ < ${FILESDIR}/imapproxyd.conf > ${WRKSRC}/imapproxyd.conf ;
+ @if [ ! -f ${PREFIX}/etc/imapproxyd.conf ]; then \
+ ${INSTALL} -c ${WRKSRC}/imapproxyd.conf ${PREFIX}/etc/imapproxyd.conf ; \
+ fi
+ ${INSTALL} -c ${WRKSRC}/scripts/imapproxy.conf ${PREFIX}/etc/imapproxyd.conf.${SAMPLE_EXT} ;
+ @${SED} ${RC_SCRIPTS_SUB:S/$/!g/:S/^/ -e s!%%/:S/=/%%!/} \
+ < ${FILESDIR}/imapproxyd.sh > ${WRKSRC}/imapproxyd.sh
+ ${INSTALL_SCRIPT} ${WRKSRC}/imapproxyd.sh ${PREFIX}/etc/rc.d/imapproxyd.sh
+ @${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff -ruN up-imapproxy.old/distinfo up-imapproxy/distinfo
--- up-imapproxy.old/distinfo Wed May 12 14:47:18 2004
+++ up-imapproxy/distinfo Wed Nov 24 16:00:07 2004
@@ -1,2 +1,2 @@
-MD5 (up-imapproxy-1.2.1.tar.gz) = debd3edeb7441b9f713aaa9e9d7f2329
-SIZE (up-imapproxy-1.2.1.tar.gz) = 111393
+MD5 (up-imapproxy-1.2.2.tar.gz) = cad615ad5825bfa565e0bf1ae1de2331
+SIZE (up-imapproxy-1.2.2.tar.gz) = 116868
diff -ruN up-imapproxy.old/files/patch-packetsecurity up-imapproxy/files/patch-packetsecurity
--- up-imapproxy.old/files/patch-packetsecurity Thu Jan 1 02:00:00 1970
+++ up-imapproxy/files/patch-packetsecurity Wed Nov 24 16:04:44 2004
@@ -0,0 +1,282 @@
+From http://www.packetstormsecurity.org/0411-advisories/up-imapproxy.txt
+
+diff -ru up-imapproxy-1.2.2/include/imapproxy.h up-imapproxy-1.2.2-fixed/include/imapproxy.h
+--- include/imapproxy.h 2004-07-23 16:17:24.000000000 +0300
++++ include/imapproxy.h.orig 2004-11-07 18:51:00.000000000 +0200
+@@ -206,7 +206,7 @@
+ char ReadBuf[ BUFSIZE ]; /* Read Buffer */
+ unsigned int BytesInReadBuffer; /* bytes left in read buffer */
+ unsigned int ReadBytesProcessed; /* bytes already processed in read buf */
+- long LiteralBytesRemaining; /* num of bytes left to read as literal */
++ unsigned long LiteralBytesRemaining;/* num of bytes left to read as literal */
+ unsigned char NonSyncLiteral; /* rfc2088 alert flag */
+ unsigned char MoreData; /* flag to tell caller "more data" */
+ unsigned char TraceOn; /* trace this transaction? */
+@@ -304,7 +304,7 @@
+ */
+ extern int IMAP_Write( ICD_Struct *, const void *, int );
+ extern int IMAP_Read( ICD_Struct *, void *, int );
+-extern int IMAP_Line_Read( ITD_Struct * );
++extern int IMAP_Line_Read( ITD_Struct *, int );
+ extern int IMAP_Literal_Read( ITD_Struct * );
+ extern void HandleRequest( int );
+ extern char *memtok( char *, char *, char ** );
+diff -ru up-imapproxy-1.2.2/src/imapcommon.c up-imapproxy-1.2.2-fixed/src/imapcommon.c
+--- src/imapcommon.c 2004-07-23 16:17:25.000000000 +0300
++++ src/imapcommon.c.orig 2004-11-07 18:54:05.000000000 +0200
+@@ -428,7 +428,7 @@
+
+ /* Read & throw away the banner line from the server */
+
+- if ( IMAP_Line_Read( &Server ) == -1 )
++ if ( IMAP_Line_Read( &Server, 0 ) == -1 )
+ {
+ syslog(LOG_INFO, "LOGIN: '%s' (%s:%d) failed: No banner line received from IMAP server", Username, ClientAddr, sin_port );
+ goto fail;
+@@ -451,7 +451,7 @@
+ /*
+ * Read the server response
+ */
+- if ( ( rc = IMAP_Line_Read( &Server ) ) == -1 )
++ if ( ( rc = IMAP_Line_Read( &Server, 0 ) ) == -1 )
+ {
+ syslog(LOG_INFO, "STARTTLS failed: No response from IMAP server after sending STARTTLS command" );
+ goto fail;
+@@ -555,7 +555,7 @@
+ /*
+ * the server response should be a go ahead
+ */
+- if ( ( rc = IMAP_Line_Read( &Server ) ) == -1 )
++ if ( ( rc = IMAP_Line_Read( &Server, 0 ) ) == -1 )
+ {
+ syslog(LOG_INFO, "LOGIN: '%s' (%s:%d) failed: Failed to receive go-ahead from IMAP server after sending LOGIN command", Username, ClientAddr, sin_port );
+ goto fail;
+@@ -611,7 +611,7 @@
+ */
+ for ( ;; )
+ {
+- if ( ( rc = IMAP_Line_Read( &Server ) ) == -1 )
++ if ( ( rc = IMAP_Line_Read( &Server, 0 ) ) == -1 )
+ {
+ syslog(LOG_INFO, "LOGIN: '%s' (%s:%d) failed: No response from IMAP server after sending LOGIN command", Username, ClientAddr, sin_port );
+ goto fail;
+@@ -951,7 +951,8 @@
+ extern int IMAP_Literal_Read( ITD_Struct *ITD )
+ {
+ char *fn = "IMAP_Literal_Read()";
+- int Status, i, j;
++ int Status;
++ unsigned int i, j;
+ struct pollfd fds[2];
+ nfds_t nfds;
+ int pollstatus;
+@@ -1080,10 +1081,11 @@
+ * process.
+ *--
+ */
+-extern int IMAP_Line_Read( ITD_Struct *ITD )
++extern int IMAP_Line_Read( ITD_Struct *ITD, int useLiterals )
+ {
+ char *CP;
+- int Status, i, j;
++ int Status;
++ unsigned int i, j;
+ char *fn = "IMAP_Line_Read()";
+ char *EndOfBuffer;
+
+@@ -1152,7 +1154,8 @@
+ * string literal is coming next. How do we know?
+ * If it is, the line will end with {bytecount}.
+ */
+- if ( ((CP - ITD->ReadBuf + 1) > 2 ) && ( *(CP - 2) == '}' ))
++ if ( ((CP - ITD->ReadBuf + 1) > 2 ) && ( *(CP - 2) == '}' )
++ && useLiterals)
+ {
+ char *LiteralEnd;
+ char *LiteralStart;
+diff -ru up-imapproxy-1.2.2/src/main.c up-imapproxy-1.2.2-fixed/src/main.c
+--- src/main.c 2004-07-23 16:17:25.000000000 +0300
++++ src/main.c.orig 2004-11-07 18:52:41.000000000 +0200
+@@ -931,7 +931,7 @@
+ * The first thing we get back from the server should be the
+ * banner string.
+ */
+- BytesRead = IMAP_Line_Read( &itd );
++ BytesRead = IMAP_Line_Read( &itd, 0 );
+ if ( BytesRead == -1 )
+ {
+ syslog( LOG_ERR, "%s: Error reading banner line from server on initial connection: %s -- Exiting.", fn, strerror( errno ) );
+@@ -973,7 +973,7 @@
+ * The second will be the OK response with the tag in it.
+ */
+
+- BytesRead = IMAP_Line_Read( &itd );
++ BytesRead = IMAP_Line_Read( &itd, 0 );
+ if ( BytesRead == -1 )
+ {
+ syslog( LOG_ERR, "%s: Failed to read capability response from server: %s -- exiting.", fn, strerror( errno ) );
+@@ -986,7 +986,7 @@
+
+
+ /* Now read the tagged response and make sure it's OK */
+- BytesRead = IMAP_Line_Read( &itd );
++ BytesRead = IMAP_Line_Read( &itd, 0 );
+ if ( BytesRead == -1 )
+ {
+ syslog( LOG_ERR, "%s: Failed to read capability response from server: %s -- exiting.", fn, strerror( errno ) );
+@@ -1011,7 +1011,7 @@
+ }
+
+ /* read the final OK logout */
+- BytesRead = IMAP_Line_Read( &itd );
++ BytesRead = IMAP_Line_Read( &itd, 0 );
+ if ( BytesRead == -1 )
+ {
+ syslog(LOG_WARNING, "%s: IMAP_Line_Read() failed on LOGOUT -- Ignoring", fn );
+diff -ru up-imapproxy-1.2.2/src/request.c up-imapproxy-1.2.2-fixed/src/request.c
+--- src/request.c 2004-07-23 16:17:26.000000000 +0300
++++ src/request.c.orig 2004-11-07 19:05:09.000000000 +0200
+@@ -433,6 +433,7 @@
+ }
+
+ strncpy( TraceUser, Username, sizeof TraceUser - 1 );
++ TraceUser[sizeof TraceUser - 1] = '\0';
+
+ snprintf( SendBuf, BufLen, "%s OK Tracing enabled\r\n", Tag );
+ if ( IMAP_Write( itd->conn, SendBuf, strlen(SendBuf) ) == -1 )
+@@ -611,7 +612,7 @@
+ * The response from the client should be a base64 encoded version of the
+ * username.
+ */
+- BytesRead = IMAP_Line_Read( Client );
++ BytesRead = IMAP_Line_Read( Client, 0 );
+
+ if ( BytesRead == -1 )
+ {
+@@ -654,7 +655,7 @@
+ return( -1 );
+ }
+
+- BytesRead = IMAP_Line_Read( Client );
++ BytesRead = IMAP_Line_Read( Client, 0 );
+
+ if ( BytesRead == -1 )
+ {
+@@ -1097,7 +1098,7 @@
+ {
+ do
+ {
+- status = IMAP_Line_Read( Client );
++ status = IMAP_Line_Read( Client, 1 );
+
+ if ( status == -1 )
+ {
+@@ -1152,7 +1153,7 @@
+ if ( Server->LiteralBytesRemaining )
+ break;
+
+- status = IMAP_Line_Read( Server );
++ status = IMAP_Line_Read( Server, 1 );
+
+ /*
+ * If there's an error reading from the server,
+@@ -1266,7 +1267,7 @@
+ if ( ! Client->NonSyncLiteral )
+ {
+ /* we have to wait for a go-ahead */
+- status = IMAP_Line_Read( Server );
++ status = IMAP_Line_Read( Server, 0 );
+ if ( Server->TraceOn )
+ {
+ snprintf( TraceBuf, sizeof TraceBuf - 1, "\n\n-----> C= %d %s SERVER: sd [%d]\n", time( 0 ), ( (TraceUser) ? TraceUser : "Null username" ), Server->conn->sd );
+@@ -1473,7 +1474,19 @@
+
+ PollFailCount = 0;
+
+- BytesRead = IMAP_Line_Read( &Client );
++ while ( Client.LiteralBytesRemaining )
++ {
++ BytesRead = IMAP_Literal_Read( &Client );
++
++ if ( BytesRead == -1 )
++ {
++ IMAPCount->CurrentClientConnections--;
++ close( Client.conn->sd );
++ return;
++ }
++ }
++
++ BytesRead = IMAP_Line_Read( &Client, 1 );
+
+ if ( BytesRead == -1 )
+ {
+@@ -1530,6 +1543,7 @@
+ * appropriate...
+ */
+ strncpy( S_Tag, Tag, MAXTAGLEN - 1 );
++ S_Tag[MAXTAGLEN - 1] = '\0';
+ if ( ! strcasecmp( (const char *)Command, "NOOP" ) )
+ {
+ cmd_noop( &Client, S_Tag );
+@@ -1569,6 +1583,7 @@
+ if ( Tag )
+ {
+ strncpy( S_Tag, Tag, MAXTAGLEN - 1 );
++ S_Tag[MAXTAGLEN - 1] = '\0';
+ cmd_logout( &Client, S_Tag );
+ }
+ }
+@@ -1641,7 +1656,8 @@
+ }
+ continue;
+ }
+- strncpy( S_UserName, Username, sizeof S_UserName - 1 );
++ strncpy( S_UserName, Username, sizeof S_UserName - 1 );
++ S_UserName[sizeof S_UserName - 1] = '\0';
+
+ /*
+ * Clients can send the password as a literal bytestream. Check
+@@ -1720,7 +1736,7 @@
+ * IMAP_Literal_Read() right now since it works properly
+ * otherwise.
+ */
+- rc = IMAP_Line_Read( &Client );
++ rc = IMAP_Line_Read( &Client, 1 );
+ }
+ else
+ {
+@@ -1748,6 +1764,7 @@
+
+ *CP = '\0';
+ strncpy( S_Password, Lasts, sizeof S_Password - 1 );
++ S_Password[sizeof S_Password - 1] = '\0';
+ }
+
+
+@@ -1779,6 +1796,7 @@
+ if ( Tag )
+ {
+ strncpy( S_Tag, Tag, MAXTAGLEN - 1 );
++ S_Tag[MAXTAGLEN - 1] = '\0';
+ cmd_logout( &Client, S_Tag );
+ }
+ }
+diff -ru up-imapproxy-1.2.2/src/select.c up-imapproxy-1.2.2-fixed/src/select.c
+--- src/select.c 2004-07-23 16:17:25.000000000 +0300
++++ src/select.c.orig 2004-11-07 18:56:01.000000000 +0200
+@@ -356,7 +356,7 @@
+ return( -1 );
+ }
+
+- rc = IMAP_Line_Read( Server );
++ rc = IMAP_Line_Read( Server, 0 );
+
+ if ( ( rc == -1 ) || ( rc == 0 ) )
+ {
+@@ -417,6 +417,7 @@
+ ISC->ISCTime = time( 0 );
+
+ strncpy( (char *)ISC->MailboxName, (const char *)MailboxName, MAXMAILBOXNAME - 1 );
++ ISC->MailboxName[MAXMAILBOXNAME - 1] = '\0';
+
+ return( 0 );
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list