From 2b0612fa80992432de78d5b3c5a930166112c9f4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Adeodato=20Sim=C3=B3?= Date: Fri, 7 Jul 2006 15:02:43 +0200 Subject: [PATCH 1/1] Prepare and upload 1.5.11+cvs20060403-2 to fix CVE-2006-3242. --- debian/changelog | 7 +++ debian/patches/series | 1 + .../patches/upstream/fix_cve-2006-3242.diff | 53 +++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100644 debian/patches/upstream/fix_cve-2006-3242.diff diff --git a/debian/changelog b/debian/changelog index 7ae870e..8150d7a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +mutt (1.5.11+cvs20060403-2) unstable; urgency=high + + * Fix CVE-2006-3242, stack-based buffer overflow when processing an overly + long namespace from the IMAP server. (Closes: #375828) + + -- Adeodato Simó Fri, 7 Jul 2006 15:01:28 +0200 + mutt (1.5.11+cvs20060403-1) unstable; urgency=low * Update to CVS 2006-04-03, which finally: diff --git a/debian/patches/series b/debian/patches/series index e7726b5..be9d1a2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -20,3 +20,4 @@ debian-specific/dont_document_not_present_features.diff misc/define-pgp_getkeys_command.diff misc/autotools-update.diff +upstream/fix_cve-2006-3242.diff -p0 diff --git a/debian/patches/upstream/fix_cve-2006-3242.diff b/debian/patches/upstream/fix_cve-2006-3242.diff new file mode 100644 index 0000000..dcab392 --- /dev/null +++ b/debian/patches/upstream/fix_cve-2006-3242.diff @@ -0,0 +1,53 @@ +------------------------------------------------------------ +revno: 3939 +committer: brendan +timestamp: Mon 2006-06-19 18:14:03 +0000 +message: + From: TAKAHASHI Tamotsu + + Fix browse_get_namespace() which could overflow ns[LONG_STRING]. + (Possible remote vulnerability) +------------------------------------------------------------ +revno: 3940 +committer: brendan +timestamp: Mon 2006-06-19 18:14:54 +0000 +message: + # changelog commit +--- ChangeLog.orig ++++ ChangeLog +@@ -1,3 +1,8 @@ ++2006-06-19 18:14:03 TAKAHASHI Tamotsu (brendan) ++ ++ * imap/browse.c: Fix browse_get_namespace() which could overflow ++ ns[LONG_STRING]. (Possible remote vulnerability) ++ + 2006-04-03 20:26:14 Brendan Cully (brendan) + + * imap/command.c: Don't pass a null destination to imap_fix_path +--- imap/browse.c.orig ++++ imap/browse.c +@@ -505,7 +505,7 @@ + if (*s == '\"') + { + s++; +- while (*s && *s != '\"') ++ while (*s && *s != '\"' && n < sizeof (ns) - 1) + { + if (*s == '\\') + s++; +@@ -516,12 +516,14 @@ + s++; + } + else +- while (*s && !ISSPACE (*s)) ++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) + { + ns[n++] = *s; + s++; + } + ns[n] = '\0'; ++ if (n == sizeof (ns) - 1) ++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); + /* delim? */ + s = imap_next_word (s); + /* delimiter is meaningless if namespace is "". Why does -- 2.43.0