OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   29-Nov-2004 16:35:00
  Branch: OPENPKG_2_1_SOLID                Handle: 2004112915350000

  Modified files:           (Branch: OPENPKG_2_1_SOLID)
    openpkg-src/imapd       imapd.patch imapd.spec

  Log:
    SA-2004.051-imapd; CAN-2004-1011, CAN-2004-1012, CAN-2004-1013,
    CAN-2004-1015 and more

  Summary:
    Revision    Changes     Path
    1.11.2.1    +140 -1     openpkg-src/imapd/imapd.patch
    1.122.2.2   +1  -1      openpkg-src/imapd/imapd.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/imapd/imapd.patch
  ============================================================================
  $ cvs diff -u -r1.11 -r1.11.2.1 imapd.patch
  --- openpkg-src/imapd/imapd.patch     28 Mar 2004 21:48:01 -0000      1.11
  +++ openpkg-src/imapd/imapd.patch     29 Nov 2004 15:35:00 -0000      1.11.2.1
  @@ -41,7 +41,7 @@
   +++ perl/sieve/lib/isieve.c  2004-02-02 20:01:21.000000000 +0100
   @@ -41,9 +41,7 @@
    
  - /* $Id: imapd.patch,v 1.11 2004/03/28 21:48:01 thl Exp $ */
  + /* $Id: imapd.patch,v 1.11.2.1 2004/11/29 15:35:00 thl Exp $ */
    
   -#ifdef HAVE_CONFIG_H
   -#include <config.h>
  @@ -92,3 +92,142 @@
            namelen = cp - name;
    
   
  +Assembled from [EMAIL PROTECTED]
  +Discussion between Stefan Esser, Derrick J Brashear and Sebastian Krahmer
  +
  +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011
  +    Cyrus IMAP Server - IMAPMAGICPLUS preauthentification overflow
  +    2.2.4 - 2.2.8
  +--- imap/imapd.c.orig        2004-11-15 11:20:17.000000000 +0100
  ++++ imap/imapd.c     2004-11-23 15:18:22.000000000 +0100
  +@@ -286,6 +286,11 @@
  +     if (!ulen) ulen = strlen(user);
  + 
  +     if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {
  ++        if (ulen > MAX_MAILBOX_NAME) {
  ++            sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
  ++            return SASL_BUFOVER;
  ++        }
  ++
  +     /* make a working copy of the auth[z]id */
  +     memcpy(userbuf, user, ulen);
  +     userbuf[ulen] = '\0';
  +@@ -345,6 +350,11 @@
  + 
  +     /* make a working copy of the authzid */
  +     if (!rlen) rlen = strlen(requested_user);
  ++    if (rlen > MAX_MAILBOX_NAME) {
  ++        sasl_seterror(conn, 0, "buffer overflow while proxying");
  ++        return SASL_BUFOVER;
  ++    }
  ++
  +     memcpy(userbuf, requested_user, rlen);
  +     userbuf[rlen] = '\0';
  +     requested_user = userbuf;
  +
  +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012
  +    Cyrus IMAP Server - PARTIAL out of bounds memory corruption
  +    <= 2.2.6 ([thl: bug exists but] unexploitable in 2.2.7 + 2.2.8)
  +--- imap/imapd.c.orig        2004-11-15 11:20:17.000000000 +0100
  ++++ imap/imapd.c     2004-11-23 15:18:22.000000000 +0100
  +@@ -3154,7 +3168,7 @@
  +     else if (!strncmp(data, "body[", 5) ||
  +          !strncmp(data, "body.peek[", 10)) {
  +     p = section = data + 5;
  +-    if (*p == 'p') {
  ++    if (!strncmp(p, "peek[", 5)) {
  +         p = section += 5;
  +     }
  +     else {
  +
  +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013
  +    Cyrus IMAP Server - FETCH out of bounds memory corruption
  +    <= 2.2.8
  +--- imap/imapd.c.orig        2004-11-15 11:20:17.000000000 +0100
  ++++ imap/imapd.c     2004-11-23 15:18:22.000000000 +0100
  +@@ -2770,10 +2784,10 @@
  +             int binsize = 0;
  + 
  +             p = section = fetchatt.s + 7;
  +-            if (*p == 'P') {
  ++            if (!strncmp(p, "PEEK[", 5)) {
  +                 p = section += 5;
  +             }
  +-            else if (*p == 'S') {
  ++            else if (!strncmp(p, "SIZE[", 5)) {
  +                 p = section += 5;
  +                 binsize = 1;
  +             }
  +@@ -2813,7 +2827,7 @@
  +         else if (!strncmp(fetchatt.s, "BODY[", 5) ||
  +                  !strncmp(fetchatt.s, "BODY.PEEK[", 10)) {
  +             p = section = fetchatt.s + 5;
  +-            if (*p == 'P') {
  ++            if (!strncmp(p, "PEEK[", 5)) {
  +                 p = section += 5;
  +             }
  +             else {
  +
  +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015
  +    Proxyd.c contains a IMAPMAGICPLUS overflow in its proxyd_canon_user 
function
  +    <= 2.2.9
  +--- imap/proxyd.c.orig       2004-11-23 14:42:37.000000000 +0100
  ++++ imap/proxyd.c    2004-11-23 15:00:56.000000000 +0100
  +@@ -1032,6 +1032,10 @@
  + 
  +     if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {
  +     /* make a working copy of the auth[z]id */
  ++    if (ulen > MAX_MAILBOX_NAME) {
  ++            sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
  ++            return SASL_BUFOVER;
  ++    }
  +     memcpy(userbuf, user, ulen);
  +     userbuf[ulen] = '\0';
  +     user = userbuf;
  +@@ -1090,6 +1094,11 @@
  + 
  +     /* make a working copy of the authzid */
  +     if (!rlen) rlen = strlen(requested_user);
  ++
  ++    if (rlen > MAX_MAILBOX_NAME) {
  ++            sasl_seterror(conn, 0, "buffer overflow while proxying");
  ++            return SASL_BUFOVER;
  ++    }
  +     memcpy(userbuf, requested_user, rlen);
  +     userbuf[rlen] = '\0';
  +     requested_user = userbuf;
  +
  +missing 0-termination in global.c
  +    <= 2.2.10
  +--- imap/global.c.orig       2004-11-23 15:01:50.000000000 +0100
  ++++ imap/global.c    2004-11-23 15:23:53.000000000 +0100
  +@@ -427,12 +427,12 @@
  +     return SASL_BADAUTH;
  +     }
  +     *out_ulen = strlen(canonuser);
  +-    if (*out_ulen > out_max) {
  ++    if (*out_ulen >= out_max) {
  +     sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
  +     return SASL_BUFOVER;
  +     }
  +     
  +-    strncpy(out, canonuser, out_max);
  ++    strcpy(out, canonuser);
  + 
  +     return SASL_OK;
  + }
  +
  +intwrap in cmd_append() and post increment glitches
  +--- imap/imapd.c.orig        2004-11-15 11:20:17.000000000 +0100
  ++++ imap/imapd.c     2004-11-23 15:18:22.000000000 +0100
  +@@ -3314,7 +3328,8 @@
  +             flag = (char **)xrealloc((char *)flag,
  +                                      flagalloc*sizeof(char *));
  +         }
  +-        flag[nflags++] = xstrdup(flagname.s);
  ++        flag[nflags] = xstrdup(flagname.s);
  ++        nflags++;
  +     }
  + 
  +     flagsparsed++;
  +
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/imapd/imapd.spec
  ============================================================================
  $ cvs diff -u -r1.122.2.1 -r1.122.2.2 imapd.spec
  --- openpkg-src/imapd/imapd.spec      2 Jul 2004 15:25:26 -0000       
1.122.2.1
  +++ openpkg-src/imapd/imapd.spec      29 Nov 2004 15:35:00 -0000      
1.122.2.2
  @@ -34,7 +34,7 @@
   Group:        Mail
   License:      BSD
   Version:      2.2.6
  -Release:      2.1.0
  +Release:      2.1.1
   
   #   package options
   %option       with_fsl    yes
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to