imap-buffer-overflow.patch

To get this branch, use:

bzr branch
/loggerhead/pkg-mutt/sarge

« back to all changes in this revision

Viewing changes to debian/patches/imap-buffer-overflow.patch

Moritz Muehlenhoff

2006-06-28 17:12:05

Revision ID: deb2bzr-1:jmm@debian.org-20060628171205-5451c797b3e56d58ecdb78bf35f53a7e03b46fa9

Tags: 1.5.9-2sarge2

mutt (1.5.9-2sarge2) stable-security; urgency=high

* Fix buffer overflow in IMAP parsing code

files added:
debian/patches/imap-buffer-overflow.patch

files modified:
debian/changelog

Show diffs side-by-side

added added

removed removed

debian/patches/imap-buffer-overflow.patch

From: brendan <brendan>

Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)

Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>

X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540

From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>

Fix browse_get_namespace() which could overflow ns[LONG_STRING].

(Possible remote vulnerability)

---

--- a/imap/browse.c

+++ b/imap/browse.c

@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA

if (*s == '\"')

{

s++;

- while (*s && *s != '\"')

+ while (*s && *s != '\"' && n < sizeof (ns) - 1)

{

if (*s == '\\')

s++;

@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA

s++;

}

else

- while (*s && !ISSPACE (*s))

+ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)

{

ns[n++] = *s;

s++;

}

ns[n] = '\0';

+ if (n == sizeof (ns) - 1)

+ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));

/* delim? */

s = imap_next_word (s);

/* delimiter is meaningless if namespace is "". Why does

Older

Loggerhead 1.17 is a web-based interface for Bazaar branches