svn commit: r402766 - in branches/2015Q4/mail/cyrus-imapd24: . files

Hajimu UMEMOTO ume at FreeBSD.org
Tue Dec 1 16:16:04 UTC 2015 

Author: ume
Date: Tue Dec  1 16:16:02 2015
New Revision: 402766
URL: https://svnweb.freebsd.org/changeset/ports/402766

Log:
  MFH r402745:
    Apply upstream patches to fix CVE-2015-8077 and CVE-2015-8078.
  
  Approved by:	portmgr (feld@)
  Obtained from:	https://cyrus.foundation/cyrus-imapd/patch/?id=745e161c834f1eb6d62fc14477f51dae799e1e08,
  		https://cyrus.foundation/cyrus-imapd/patch/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2
  Security:	d62ec98e-97d8-11e5-8c0e-080027b00c2e

Added:
  branches/2015Q4/mail/cyrus-imapd24/files/patch-CVE-2015-8077
     - copied unchanged from r402745, head/mail/cyrus-imapd24/files/patch-CVE-2015-8077
  branches/2015Q4/mail/cyrus-imapd24/files/patch-CVE-2015-8078
     - copied unchanged from r402745, head/mail/cyrus-imapd24/files/patch-CVE-2015-8078
Modified:
  branches/2015Q4/mail/cyrus-imapd24/Makefile
Directory Properties:
  branches/2015Q4/   (props changed)

Modified: branches/2015Q4/mail/cyrus-imapd24/Makefile
==============================================================================
--- branches/2015Q4/mail/cyrus-imapd24/Makefile	Tue Dec  1 16:06:20 2015	(r402765)
+++ branches/2015Q4/mail/cyrus-imapd24/Makefile	Tue Dec  1 16:16:02 2015	(r402766)
@@ -2,7 +2,7 @@
 
 PORTNAME=	cyrus-imapd
 PORTVERSION=	2.4.18
-#PORTREVISION=	0
+PORTREVISION=	2
 CATEGORIES=	mail ipv6
 MASTER_SITES=	ftp://ftp.cyrusimap.org/cyrus-imapd/ \
 		http://cyrusimap.org/releases/

Copied: branches/2015Q4/mail/cyrus-imapd24/files/patch-CVE-2015-8077 (from r402745, head/mail/cyrus-imapd24/files/patch-CVE-2015-8077)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q4/mail/cyrus-imapd24/files/patch-CVE-2015-8077	Tue Dec  1 16:16:02 2015	(r402766, copy of r402745, head/mail/cyrus-imapd24/files/patch-CVE-2015-8077)
@@ -0,0 +1,40 @@
+From 745e161c834f1eb6d62fc14477f51dae799e1e08 Mon Sep 17 00:00:00 2001
+From: ellie timoney <ellie at fastmail.com>
+Date: Mon, 26 Oct 2015 16:15:40 +1100
+Subject: urlfetch: protect against overflow in range checks
+
+
+--- imap/index.c.orig	2015-07-06 03:38:29 UTC
++++ imap/index.c
+@@ -2712,7 +2712,8 @@ int index_urlfetch(struct index_state *s
+     int fetchmime = 0, domain = DOMAIN_7BIT;
+     unsigned size;
+     int32_t skip = 0;
+-    int n, r = 0;
++    unsigned long n;
++    int r = 0;
+     char *decbuf = NULL;
+     struct mailbox *mailbox = state->mailbox;
+     struct index_map *im = &state->map[msgno-1];
+@@ -2849,7 +2850,7 @@ int index_urlfetch(struct index_state *s
+         start_octet = size;
+         n = 0;
+     }
+-    else if (start_octet + n > size) {
++    else if (start_octet + n < start_octet || start_octet + n > size) {
+         n = size - start_octet;
+     }
+ 
+@@ -2861,10 +2862,10 @@ int index_urlfetch(struct index_state *s
+ 
+ 	if (domain == DOMAIN_BINARY) {
+ 	    /* Write size of literal8 */
+-	    prot_printf(pout, " ~{%u}\r\n", n);
++	    prot_printf(pout, " ~{%lu}\r\n", n);
+ 	} else {
+ 	    /* Write size of literal */
+-	    prot_printf(pout, " {%u}\r\n", n);
++	    prot_printf(pout, " {%lu}\r\n", n);
+ 	}
+     }
+ 

Copied: branches/2015Q4/mail/cyrus-imapd24/files/patch-CVE-2015-8078 (from r402745, head/mail/cyrus-imapd24/files/patch-CVE-2015-8078)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q4/mail/cyrus-imapd24/files/patch-CVE-2015-8078	Tue Dec  1 16:16:02 2015	(r402766, copy of r402745, head/mail/cyrus-imapd24/files/patch-CVE-2015-8078)
@@ -0,0 +1,23 @@
+From 6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 Mon Sep 17 00:00:00 2001
+From: ellie timoney <ellie at fastmail.com>
+Date: Mon, 26 Oct 2015 16:21:01 +1100
+Subject: urlfetch: and the other bit
+
+
+diff --git a/imap/index.c b/imap/index.c
+index f5161cd..da8ce3d 100644
+--- imap/index.c
++++ imap/index.c
+@@ -4244,7 +4244,8 @@ EXPORTED int index_urlfetch(struct index_state *state, uint32_t msgno,
+         size_t section_offset = CACHE_ITEM_BIT32(cacheitem);
+         size_t section_size = CACHE_ITEM_BIT32(cacheitem + CACHE_ITEM_SIZE_SKIP);
+ 
+-        if (section_offset + section_size > size) {
++        if (section_offset + section_size < section_offset
++            || section_offset + section_size > size) {
+             r = IMAP_INTERNAL;
+             goto done;
+         }
+-- 
+cgit v0.10.2
+

More information about the svn-ports-branches mailing list