From: Moritz Muehlenhoff Date: Wed, 28 Jun 2006 17:12:05 +0000 (+0000) Subject: mutt (1.5.9-2sarge2) stable-security; urgency=high X-Git-Tag: 1.5.9-2sarge2 X-Git-Url: https://git.llucax.com/software/mutt-debian.git/commitdiff_plain/5ed138215ee476f7451fe07201732104fb24e269?ds=sidebyside mutt (1.5.9-2sarge2) stable-security; urgency=high * Fix buffer overflow in IMAP parsing code --- diff --git a/debian/changelog b/debian/changelog index 4bc972e..4f1f223 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +mutt (1.5.9-2sarge2) stable-security; urgency=high + + * Fix buffer overflow in IMAP parsing code + + -- Moritz Muehlenhoff Wed, 28 Jun 2006 17:12:05 +0000 + mutt (1.5.9-2sarge1) stable; urgency=low * For attachments marked for deletion after the message is sent, don't diff --git a/debian/patches/imap-buffer-overflow.patch b/debian/patches/imap-buffer-overflow.patch new file mode 100644 index 0000000..556b8b6 --- /dev/null +++ b/debian/patches/imap-buffer-overflow.patch @@ -0,0 +1,38 @@ +From: brendan +Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000) +Subject: From: TAKAHASHI Tamotsu +X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540 + + From: TAKAHASHI Tamotsu + + Fix browse_get_namespace() which could overflow ns[LONG_STRING]. + (Possible remote vulnerability) +--- + +--- a/imap/browse.c ++++ b/imap/browse.c +@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA + if (*s == '\"') + { + s++; +- while (*s && *s != '\"') ++ while (*s && *s != '\"' && n < sizeof (ns) - 1) + { + if (*s == '\\') + s++; +@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA + s++; + } + else +- while (*s && !ISSPACE (*s)) ++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) + { + ns[n++] = *s; + s++; + } + ns[n] = '\0'; ++ if (n == sizeof (ns) - 1) ++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); + /* delim? */ + s = imap_next_word (s); + /* delimiter is meaningless if namespace is "". Why does