]> git.llucax.com Git - software/mutt-debian.git/commitdiff
Prepare and upload 1.5.11+cvs20060403-2 to fix CVE-2006-3242. 1.5.11+cvs20060403-2
authorAdeodato Simó <dato@net.com.org.es>
Fri, 7 Jul 2006 13:02:43 +0000 (15:02 +0200)
committerAdeodato Simó <dato@net.com.org.es>
Fri, 7 Jul 2006 13:02:43 +0000 (15:02 +0200)
debian/changelog
debian/patches/series
debian/patches/upstream/fix_cve-2006-3242.diff [new file with mode: 0644]

index 7ae870e1aebad20bde743068ba6faa0d60400b91..8150d7a2bdcdf08174a273ddec44dc864426d03a 100644 (file)
@@ -1,3 +1,10 @@
+mutt (1.5.11+cvs20060403-2) unstable; urgency=high
+
+  * Fix CVE-2006-3242, stack-based buffer overflow when processing an overly
+    long namespace from the IMAP server.  (Closes: #375828)
+
+ -- Adeodato Simó <dato@net.com.org.es>  Fri,  7 Jul 2006 15:01:28 +0200
+
 mutt (1.5.11+cvs20060403-1) unstable; urgency=low
 
   * Update to CVS 2006-04-03, which finally:
 mutt (1.5.11+cvs20060403-1) unstable; urgency=low
 
   * Update to CVS 2006-04-03, which finally:
index e7726b583c63ba6d2b1f4e57ad2d0df5cde2930e..be9d1a2c62cca6b03a684e4d10a47e6741ba4c88 100644 (file)
@@ -20,3 +20,4 @@ debian-specific/dont_document_not_present_features.diff
 
 misc/define-pgp_getkeys_command.diff
 misc/autotools-update.diff
 
 misc/define-pgp_getkeys_command.diff
 misc/autotools-update.diff
+upstream/fix_cve-2006-3242.diff -p0
diff --git a/debian/patches/upstream/fix_cve-2006-3242.diff b/debian/patches/upstream/fix_cve-2006-3242.diff
new file mode 100644 (file)
index 0000000..dcab392
--- /dev/null
@@ -0,0 +1,53 @@
+------------------------------------------------------------
+revno: 3939
+committer: brendan
+timestamp: Mon 2006-06-19 18:14:03 +0000
+message:
+  From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+  
+  Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+  (Possible remote vulnerability)
+------------------------------------------------------------
+revno: 3940
+committer: brendan
+timestamp: Mon 2006-06-19 18:14:54 +0000
+message:
+  # changelog commit
+--- ChangeLog.orig
++++ ChangeLog
+@@ -1,3 +1,8 @@
++2006-06-19 18:14:03  TAKAHASHI Tamotsu  <tamo@momonga-linux.org>  (brendan)
++
++      * imap/browse.c: Fix browse_get_namespace() which could overflow
++      ns[LONG_STRING].  (Possible remote vulnerability)
++
+ 2006-04-03 20:26:14  Brendan Cully  <brendan@kublai.com>  (brendan)
+       * imap/command.c: Don't pass a null destination to imap_fix_path
+--- imap/browse.c.orig
++++ imap/browse.c
+@@ -505,7 +505,7 @@
+           if (*s == '\"')
+           {
+             s++;
+-            while (*s && *s != '\"') 
++            while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+             {
+               if (*s == '\\')
+                 s++;
+@@ -516,12 +516,14 @@
+               s++;
+           }
+           else
+-            while (*s && !ISSPACE (*s)) 
++            while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+             {
+               ns[n++] = *s;
+               s++;
+             }
+           ns[n] = '\0';
++          if (n == sizeof (ns) - 1)
++            dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+           /* delim? */
+           s = imap_next_word (s);
+           /* delimiter is meaningless if namespace is "". Why does