+mutt (1.5.9-2sarge2) stable-security; urgency=high
+
+ * Fix buffer overflow in IMAP parsing code
+
+ -- Moritz Muehlenhoff <jmm@debian.org> Wed, 28 Jun 2006 17:12:05 +0000
+
mutt (1.5.9-2sarge1) stable; urgency=low
* For attachments marked for deletion after the message is sent, don't
--- /dev/null
+From: brendan <brendan>
+Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
+Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540
+
+ From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+
+ Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+ (Possible remote vulnerability)
+---
+
+--- a/imap/browse.c
++++ b/imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+ if (*s == '\"')
+ {
+ s++;
+- while (*s && *s != '\"')
++ while (*s && *s != '\"' && n < sizeof (ns) - 1)
+ {
+ if (*s == '\\')
+ s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+ s++;
+ }
+ else
+- while (*s && !ISSPACE (*s))
++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ {
+ ns[n++] = *s;
+ s++;
+ }
+ ns[n] = '\0';
++ if (n == sizeof (ns) - 1)
++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ /* delim? */
+ s = imap_next_word (s);
+ /* delimiter is meaningless if namespace is "". Why does
projects / software / mutt-debian.git / commitdiff