mutt (1.5.9-2sarge2) stable-security; urgency=high

  * Fix buffer overflow in IMAP parsing code

diff --git a/debian/changelog b/debian/changelog
index 4bc972e5b0ae6c8ca579d8e9a15b90bdd87587b8..4f1f223202b48f3102be8901c86a53f36faf62ef 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mutt (1.5.9-2sarge2) stable-security; urgency=high
+
+  * Fix buffer overflow in IMAP parsing code 
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Wed, 28 Jun 2006 17:12:05 +0000
+

 mutt (1.5.9-2sarge1) stable; urgency=low
 
   * For attachments marked for deletion after the message is sent, don't
 mutt (1.5.9-2sarge1) stable; urgency=low
 
   * For attachments marked for deletion after the message is sent, don't

diff --git a/debian/patches/imap-buffer-overflow.patch b/debian/patches/imap-buffer-overflow.patch
new file mode 100644 (file)
index 0000000..556b8b6
--- /dev/null
+++ b/debian/patches/imap-buffer-overflow.patch
@@ -0,0 +1,38 @@
+From: brendan <brendan>
+Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
+Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540
+
+  From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+  
+  Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+  (Possible remote vulnerability)
+---
+
+--- a/imap/browse.c
++++ b/imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+           if (*s == '\"')
+           {
+             s++;
+-            while (*s && *s != '\"') 
++            while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+             {
+               if (*s == '\\')
+                 s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+               s++;
+           }
+           else
+-            while (*s && !ISSPACE (*s)) 
++            while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+             {
+               ns[n++] = *s;
+               s++;
+             }
+           ns[n] = '\0';
++          if (n == sizeof (ns) - 1)
++            dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+           /* delim? */
+           s = imap_next_word (s);
+           /* delimiter is meaningless if namespace is "". Why does