Fix a buffer overflow in the IMAP code.

Diff from mutt CVS via TAKAHASHI Tamotsu, thanks! ok naddy@
2006-06-21 08:16:45 +00:00 · 2006-06-21 08:16:45 +00:00 · da7e53023f
commit da7e53023f
parent c1ec49da96
4 changed files with 70 additions and 4 deletions
--- a/mail/mutt/snapshot/Makefile
+++ b/mail/mutt/snapshot/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.38 2006/03/22 12:43:09 bernd Exp $
+# $OpenBSD: Makefile,v 1.39 2006/06/21 08:16:45 bernd Exp $

 COMMENT=	"tty-based e-mail client, development version"

 VERSION=	1.5.11
 DISTNAME=	mutt-${VERSION}
-PKGNAME=	${DISTNAME}p2
+PKGNAME=	${DISTNAME}p3
 MASTER_SITES=	${MASTER_SITES_MUTT:=devel/}

 AUTOCONF_VERSION= 2.59
--- a/mail/mutt/snapshot/patches/patch-imap_browse_c
+++ b/mail/mutt/snapshot/patches/patch-imap_browse_c
@ -0,0 +1,33 @@
+$OpenBSD: patch-imap_browse_c,v 1.1 2006/06/21 08:16:45 bernd Exp $
+
+From mutt CVS:
+Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+(Possible remote vulnerability)
+
+--- imap/browse.c.orig	Tue Jun 20 15:40:30 2006
+++ imap/browse.c	Tue Jun 20 15:42:34 2006
+@@ -512,7 +512,7 @@ static int browse_get_namespace (IMAP_DA
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -523,12 +523,14 @@ static int browse_get_namespace (IMAP_DA
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
--- a/mail/mutt/stable/Makefile
+++ b/mail/mutt/stable/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.27 2006/03/22 12:43:09 bernd Exp $
+# $OpenBSD: Makefile,v 1.28 2006/06/21 08:16:45 bernd Exp $

 COMMENT=	"tty-based e-mail client"

 VERSION=	1.4.2
 DISTNAME=	mutt-${VERSION}i
-PKGNAME=	${DISTNAME}p3
+PKGNAME=	${DISTNAME}p4
 MASTER_SITES=	${MASTER_SITES_MUTT}

 AUTOCONF_VERSION=2.13
--- a/mail/mutt/stable/patches/patch-imap_browse_c
+++ b/mail/mutt/stable/patches/patch-imap_browse_c
@ -0,0 +1,33 @@
+$OpenBSD: patch-imap_browse_c,v 1.1 2006/06/21 08:16:45 bernd Exp $
+
+From mutt CVS:
+Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+(Possible remote vulnerability)
+
+--- imap/browse.c.orig	Tue Feb 26 11:38:56 2002
+++ imap/browse.c	Tue Jun 20 15:44:27 2006
+@@ -452,7 +452,7 @@ static int browse_get_namespace (IMAP_DA
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -463,12 +463,14 @@ static int browse_get_namespace (IMAP_DA
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does