From 5ed138215ee476f7451fe07201732104fb24e269 Mon Sep 17 00:00:00 2001
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 28 Jun 2006 17:12:05 +0000
Subject: [PATCH] mutt (1.5.9-2sarge2) stable-security; urgency=high

  * Fix buffer overflow in IMAP parsing code
---
 debian/changelog                          |  6 ++++
 debian/patches/imap-buffer-overflow.patch | 38 +++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 debian/patches/imap-buffer-overflow.patch

diff --git a/debian/changelog b/debian/changelog
index 4bc972e..4f1f223 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mutt (1.5.9-2sarge2) stable-security; urgency=high
+
+  * Fix buffer overflow in IMAP parsing code 
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Wed, 28 Jun 2006 17:12:05 +0000
+
 mutt (1.5.9-2sarge1) stable; urgency=low
 
   * For attachments marked for deletion after the message is sent, don't
diff --git a/debian/patches/imap-buffer-overflow.patch b/debian/patches/imap-buffer-overflow.patch
new file mode 100644
index 0000000..556b8b6
--- /dev/null
+++ b/debian/patches/imap-buffer-overflow.patch
@@ -0,0 +1,38 @@
+From: brendan <brendan>
+Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
+Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540
+
+  From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+  
+  Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+  (Possible remote vulnerability)
+---
+
+--- a/imap/browse.c
++++ b/imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
-- 
2.43.0