OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 29-Nov-2004 16:35:00 Branch: OPENPKG_2_1_SOLID Handle: 2004112915350000 Modified files: (Branch: OPENPKG_2_1_SOLID) openpkg-src/imapd imapd.patch imapd.spec Log: SA-2004.051-imapd; CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015 and more Summary: Revision Changes Path 1.11.2.1 +140 -1 openpkg-src/imapd/imapd.patch 1.122.2.2 +1 -1 openpkg-src/imapd/imapd.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/imapd/imapd.patch ============================================================================ $ cvs diff -u -r1.11 -r1.11.2.1 imapd.patch --- openpkg-src/imapd/imapd.patch 28 Mar 2004 21:48:01 -0000 1.11 +++ openpkg-src/imapd/imapd.patch 29 Nov 2004 15:35:00 -0000 1.11.2.1 @@ -41,7 +41,7 @@ +++ perl/sieve/lib/isieve.c 2004-02-02 20:01:21.000000000 +0100 @@ -41,9 +41,7 @@ - /* $Id: imapd.patch,v 1.11 2004/03/28 21:48:01 thl Exp $ */ + /* $Id: imapd.patch,v 1.11.2.1 2004/11/29 15:35:00 thl Exp $ */ -#ifdef HAVE_CONFIG_H -#include <config.h> @@ -92,3 +92,142 @@ namelen = cp - name; +Assembled from [EMAIL PROTECTED] +Discussion between Stefan Esser, Derrick J Brashear and Sebastian Krahmer + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011 + Cyrus IMAP Server - IMAPMAGICPLUS preauthentification overflow + 2.2.4 - 2.2.8 +--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100 ++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100 +@@ -286,6 +286,11 @@ + if (!ulen) ulen = strlen(user); + + if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) { ++ if (ulen > MAX_MAILBOX_NAME) { ++ sasl_seterror(conn, 0, "buffer overflow while canonicalizing"); ++ return SASL_BUFOVER; ++ } ++ + /* make a working copy of the auth[z]id */ + memcpy(userbuf, user, ulen); + userbuf[ulen] = '\0'; +@@ -345,6 +350,11 @@ + + /* make a working copy of the authzid */ + if (!rlen) rlen = strlen(requested_user); ++ if (rlen > MAX_MAILBOX_NAME) { ++ sasl_seterror(conn, 0, "buffer overflow while proxying"); ++ return SASL_BUFOVER; ++ } ++ + memcpy(userbuf, requested_user, rlen); + userbuf[rlen] = '\0'; + requested_user = userbuf; + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012 + Cyrus IMAP Server - PARTIAL out of bounds memory corruption + <= 2.2.6 ([thl: bug exists but] unexploitable in 2.2.7 + 2.2.8) +--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100 ++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100 +@@ -3154,7 +3168,7 @@ + else if (!strncmp(data, "body[", 5) || + !strncmp(data, "body.peek[", 10)) { + p = section = data + 5; +- if (*p == 'p') { ++ if (!strncmp(p, "peek[", 5)) { + p = section += 5; + } + else { + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013 + Cyrus IMAP Server - FETCH out of bounds memory corruption + <= 2.2.8 +--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100 ++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100 +@@ -2770,10 +2784,10 @@ + int binsize = 0; + + p = section = fetchatt.s + 7; +- if (*p == 'P') { ++ if (!strncmp(p, "PEEK[", 5)) { + p = section += 5; + } +- else if (*p == 'S') { ++ else if (!strncmp(p, "SIZE[", 5)) { + p = section += 5; + binsize = 1; + } +@@ -2813,7 +2827,7 @@ + else if (!strncmp(fetchatt.s, "BODY[", 5) || + !strncmp(fetchatt.s, "BODY.PEEK[", 10)) { + p = section = fetchatt.s + 5; +- if (*p == 'P') { ++ if (!strncmp(p, "PEEK[", 5)) { + p = section += 5; + } + else { + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015 + Proxyd.c contains a IMAPMAGICPLUS overflow in its proxyd_canon_user function + <= 2.2.9 +--- imap/proxyd.c.orig 2004-11-23 14:42:37.000000000 +0100 ++++ imap/proxyd.c 2004-11-23 15:00:56.000000000 +0100 +@@ -1032,6 +1032,10 @@ + + if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) { + /* make a working copy of the auth[z]id */ ++ if (ulen > MAX_MAILBOX_NAME) { ++ sasl_seterror(conn, 0, "buffer overflow while canonicalizing"); ++ return SASL_BUFOVER; ++ } + memcpy(userbuf, user, ulen); + userbuf[ulen] = '\0'; + user = userbuf; +@@ -1090,6 +1094,11 @@ + + /* make a working copy of the authzid */ + if (!rlen) rlen = strlen(requested_user); ++ ++ if (rlen > MAX_MAILBOX_NAME) { ++ sasl_seterror(conn, 0, "buffer overflow while proxying"); ++ return SASL_BUFOVER; ++ } + memcpy(userbuf, requested_user, rlen); + userbuf[rlen] = '\0'; + requested_user = userbuf; + +missing 0-termination in global.c + <= 2.2.10 +--- imap/global.c.orig 2004-11-23 15:01:50.000000000 +0100 ++++ imap/global.c 2004-11-23 15:23:53.000000000 +0100 +@@ -427,12 +427,12 @@ + return SASL_BADAUTH; + } + *out_ulen = strlen(canonuser); +- if (*out_ulen > out_max) { ++ if (*out_ulen >= out_max) { + sasl_seterror(conn, 0, "buffer overflow while canonicalizing"); + return SASL_BUFOVER; + } + +- strncpy(out, canonuser, out_max); ++ strcpy(out, canonuser); + + return SASL_OK; + } + +intwrap in cmd_append() and post increment glitches +--- imap/imapd.c.orig 2004-11-15 11:20:17.000000000 +0100 ++++ imap/imapd.c 2004-11-23 15:18:22.000000000 +0100 +@@ -3314,7 +3328,8 @@ + flag = (char **)xrealloc((char *)flag, + flagalloc*sizeof(char *)); + } +- flag[nflags++] = xstrdup(flagname.s); ++ flag[nflags] = xstrdup(flagname.s); ++ nflags++; + } + + flagsparsed++; + @@ . patch -p0 <<'@@ .' Index: openpkg-src/imapd/imapd.spec ============================================================================ $ cvs diff -u -r1.122.2.1 -r1.122.2.2 imapd.spec --- openpkg-src/imapd/imapd.spec 2 Jul 2004 15:25:26 -0000 1.122.2.1 +++ openpkg-src/imapd/imapd.spec 29 Nov 2004 15:35:00 -0000 1.122.2.2 @@ -34,7 +34,7 @@ Group: Mail License: BSD Version: 2.2.6 -Release: 2.1.0 +Release: 2.1.1 # package options %option with_fsl yes @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]