OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 04-Mar-2005 17:11:59
Branch: OPENPKG_2_2_SOLID Handle: 2005030416115900
Modified files: (Branch: OPENPKG_2_2_SOLID)
openpkg-src/imapd imapd.patch imapd.spec
Log:
patch code to solve OpenPKG-SA-2005.005-imapd buffer overflows (no CAN
yet)
Summary:
Revision Changes Path
1.11.4.2 +374 -2 openpkg-src/imapd/imapd.patch
1.126.2.3 +1 -1 openpkg-src/imapd/imapd.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/imapd/imapd.patch
============================================================================
$ cvs diff -u -r1.11.4.1 -r1.11.4.2 imapd.patch
--- openpkg-src/imapd/imapd.patch 29 Nov 2004 15:34:41 -0000 1.11.4.1
+++ openpkg-src/imapd/imapd.patch 4 Mar 2005 16:11:59 -0000 1.11.4.2
@@ -41,7 +41,7 @@
+++ perl/sieve/lib/isieve.c 2004-02-02 20:01:21.000000000 +0100
@@ -41,9 +41,7 @@
- /* $Id: imapd.patch,v 1.11.4.1 2004/11/29 15:34:41 thl Exp $ */
+ /* $Id: imapd.patch,v 1.11.4.2 2005/03/04 16:11:59 ms Exp $ */
-#ifdef HAVE_CONFIG_H
-#include <config.h>
@@ -255,4 +255,376 @@
}
flagsparsed++;
-
+Index: imap/annotate.c
+--- imap/annotate.c.orig 2004-06-23 04:55:23 +0200
++++ imap/annotate.c 2005-03-04 15:54:22 +0100
+@@ -920,7 +920,7 @@
+ {
+ struct fetchdata *fdata = (struct fetchdata *) rock;
+ struct annotate_f_entry_list *entries_ptr;
+- static char lastname[MAX_MAILBOX_PATH];
++ static char lastname[MAX_MAILBOX_PATH+1];
+ static int sawuser = 0;
+ int c;
+ char int_mboxname[MAX_MAILBOX_PATH+1], ext_mboxname[MAX_MAILBOX_PATH+1];
+@@ -954,10 +954,10 @@
+ if (!strncasecmp(lastname, "INBOX", 5)) {
+ (*fdata->namespace->mboxname_tointernal)(fdata->namespace, "INBOX",
+ fdata->userid, int_mboxname);
+- strcat(int_mboxname, lastname+5);
++ strlcat(int_mboxname, lastname+5, sizeof(int_mboxname));
+ }
+ else
+- strcpy(int_mboxname, lastname);
++ strlcpy(int_mboxname, lastname, sizeof(int_mboxname));
+
+ c = name[matchlen];
+ if (c) name[matchlen] = '\0';
+@@ -1377,7 +1377,7 @@
+ {
+ struct storedata *sdata = (struct storedata *) rock;
+ struct annotate_st_entry_list *entries_ptr;
+- static char lastname[MAX_MAILBOX_PATH];
++ static char lastname[MAX_MAILBOX_PATH+1];
+ static int sawuser = 0;
+ char int_mboxname[MAX_MAILBOX_PATH+1];
+ struct mailbox_annotation_rock mbrock;
+@@ -1405,16 +1405,16 @@
+ sawuser = 1;
+ }
+
+- strcpy(lastname, name);
++ strlcpy(lastname, name, sizeof(lastname));
+ lastname[matchlen] = '\0';
+
+ if (!strncasecmp(lastname, "INBOX", 5)) {
+ (*sdata->namespace->mboxname_tointernal)(sdata->namespace, "INBOX",
+ sdata->userid, int_mboxname);
+- strcat(int_mboxname, lastname+5);
++ strlcat(int_mboxname, lastname+5, sizeof(int_mboxname));
+ }
+ else
+- strcpy(int_mboxname, lastname);
++ strlcpy(int_mboxname, lastname, sizeof(int_mboxname));
+
+ memset(&mbrock, 0, sizeof(struct mailbox_annotation_rock));
+ get_mb_data(int_mboxname, &mbrock);
+Index: imap/backend.c
+--- imap/backend.c.orig 2004-07-16 16:53:24 +0200
++++ imap/backend.c 2005-03-04 16:14:00 +0100
+@@ -297,7 +297,7 @@
+ sunsock.sun_len = res0->ai_addrlen;
+ #endif
+ sunsock.sun_family = AF_UNIX;
+- strcpy(sunsock.sun_path, server);
++ strlcpy(sunsock.sun_path, server, sizeof(sunsock.sun_path));
+
+ /* XXX set that we are preauthed */
+
+Index: imap/fetchnews.c
+--- imap/fetchnews.c.orig 2004-07-16 20:44:19 +0200
++++ imap/fetchnews.c 2005-03-04 16:15:51 +0100
+@@ -247,6 +247,7 @@
+ }
+
+ #define RESP_GROW 100
++#define BUFFERSIZE 4096
+
+ int main(int argc, char *argv[])
+ {
+@@ -257,7 +258,7 @@
+ char *authname = NULL, *password = NULL;
+ int psock = -1, ssock = -1;
+ struct protstream *pin, *pout, *sin, *sout;
+- char buf[4096];
++ char buf[BUFFERSIZE];
+ char sfile[1024] = "";
+ int fd, i, n, offered, rejected, accepted, failed;
+ time_t stamp;
+@@ -470,7 +471,7 @@
+ close(fd);
+ }
+ else {
+- char group[1024], msgid[1024], lastbuf[50];
++ char group[BUFFERSIZE], msgid[BUFFERSIZE], lastbuf[50];
+ const char *data;
+ unsigned long low, high, last, cur;
+ int start;
+Index: imap/imapd.c
+--- imap/imapd.c.orig 2004-07-15 18:19:18 +0200
++++ imap/imapd.c 2005-03-04 16:21:31 +0100
+@@ -3769,13 +3769,17 @@
+
+ /* take care of deleting ACLs, subscriptions, seen state and quotas */
+ *p = '\0'; /* clip off pattern */
++ if ((!domainlen) ||
++ (domainlen+1 < (sizeof(mailboxname) - mailboxname_len))) {
+ if (domainlen) {
+ /* fully qualify the userid */
+- sprintf(p, "@%.*s", domainlen-1, mailboxname);
++ snprintf(p, (sizeof(mailboxname) - mailboxname_len), "@%.*s",
++ domainlen-1, mailboxname);
+ }
+ user_deletedata(mailboxname+domainlen+5, imapd_userid,
+ imapd_authstate, 1);
+ }
++ }
+
+ if (imapd_mailbox) {
+ index_check(imapd_mailbox, 0, 0);
+@@ -3806,8 +3810,8 @@
+ int maycreate __attribute__((unused)),
+ void *rock)
+ {
+- char oldextname[MAX_MAILBOX_NAME];
+- char newextname[MAX_MAILBOX_NAME];
++ char oldextname[MAX_MAILBOX_NAME+1];
++ char newextname[MAX_MAILBOX_NAME+1];
+ struct renrock *text = (struct renrock *)rock;
+ int r;
+
+Index: imap/mailbox.c
+--- imap/mailbox.c.orig 2004-05-22 05:45:51 +0200
++++ imap/mailbox.c 2005-03-04 16:35:53 +0100
+@@ -187,7 +187,7 @@
+ /* Generate lower case copy of string */
+ /* xxx sometimes the caller has already generated this ..
+ * maybe we can just require callers to do it? */
+- for (i=0 ; *s && (i < MAX_CACHED_HEADER_SIZE) ; i++)
++ for (i=0 ; *s && (i < (MAX_CACHED_HEADER_SIZE - 1)) ; i++)
+ hdr[i] = tolower(*s++);
+
+ if (*s) return BIT32_MAX; /* Input too long for match */
+@@ -205,7 +205,7 @@
+ int i;
+
+ /* Scan for header */
+- for (i=0; i < MAX_CACHED_HEADER_SIZE; i++) {
++ for (i=0; i < (MAX_CACHED_HEADER_SIZE - 1); i++) {
+ if (!text[i] || text[i] == '\r' || text[i] == '\n') break;
+
+ if (text[i] == ':') {
+Index: imap/mboxname.c
+--- imap/mboxname.c.orig 2004-07-13 17:02:08 +0200
++++ imap/mboxname.c 2005-03-04 16:41:11 +0100
+@@ -122,8 +122,10 @@
+ userlen = cp++ - userid;
+ /* don't prepend default domain */
+ if (!(config_defdomain && !strcasecmp(config_defdomain, cp))) {
++ domainlen = strlen(cp)+1;
++ if (domainlen > MAX_MAILBOX_NAME)
++ return IMAP_MAILBOX_BADNAME;
+ sprintf(result, "%s!", cp);
+- domainlen = strlen(result);
+ }
+ }
+ if ((cp = strrchr(name, '@'))) {
+@@ -144,8 +146,10 @@
+ (except for global admin) */
+ return IMAP_MAILBOX_BADNAME;
+ }
++ domainlen = strlen(cp+1)+1;
++ if (domainlen > MAX_MAILBOX_NAME)
++ return IMAP_MAILBOX_BADNAME;
+ sprintf(result, "%s!", cp+1);
+- domainlen = strlen(result);
+ }
+ }
+
+@@ -194,6 +198,7 @@
+ char *cp;
+ int userlen, domainlen = 0, namelen;
+ int prefixlen;
++ size_t resultlen;
+
+ /* Blank the result, just in case */
+ result[0] = '\0';
+@@ -207,8 +212,10 @@
+ userlen = cp++ - userid;
+ if (!(config_defdomain && !strcasecmp(config_defdomain, cp))) {
+ /* don't prepend default domain */
++ domainlen = strlen(cp)+1;
++ if (domainlen > MAX_MAILBOX_NAME)
++ return IMAP_MAILBOX_BADNAME;
+ sprintf(result, "%s!", cp);
+- domainlen = strlen(result);
+ }
+ }
+ if ((cp = strrchr(name, '@'))) {
+@@ -229,8 +236,10 @@
+ (except for global admin) */
+ return IMAP_MAILBOX_BADNAME;
+ }
++ domainlen = strlen(cp+1)+1;
++ if (domainlen > MAX_MAILBOX_NAME)
++ return IMAP_MAILBOX_BADNAME;
+ sprintf(result, "%s!", cp+1);
+- domainlen = strlen(result);
+ }
+ }
+
+@@ -310,11 +319,14 @@
+ return 0;
+ }
+
++ resultlen = strlen(result);
++
+ /* other personal folder */
+- if (domainlen+strlen(result)+6+namelen > MAX_MAILBOX_NAME) {
++ if (domainlen+resultlen+6+namelen > MAX_MAILBOX_NAME) {
+ return IMAP_MAILBOX_BADNAME;
+ }
+- sprintf(result+strlen(result), ".%.*s", namelen, name);
++ snprintf(result+resultlen, MAX_MAILBOX_NAME+1-resultlen, ".%.*s",
++ namelen, name);
+
+ /* Translate any separators in mailboxname */
+ mboxname_hiersep_tointernal(namespace, result+6+userlen, 0);
+@@ -333,7 +345,7 @@
+ const char *userid, char *result)
+ {
+ char *domain = NULL, *cp;
+- size_t domainlen = 0;
++ size_t domainlen = 0, resultlen;
+
+ /* Blank the result, just in case */
+ result[0] = '\0';
+@@ -356,9 +368,16 @@
+ /* Translate any separators in mailboxname */
+ mboxname_hiersep_toexternal(namespace, result, 0);
+
++ resultlen = strlen(result);
++
+ /* Append domain */
+- if (domain)
+- sprintf(result+strlen(result), "@%.*s", domainlen, domain);
++ if (domain) {
++ if(resultlen+domainlen+1 > MAX_MAILBOX_NAME)
++ return IMAP_MAILBOX_BADNAME;
++
++ snprintf(result+resultlen, MAX_MAILBOX_NAME+1-resultlen,
++ "@%.*s", domainlen, domain);
++ }
+
+ return 0;
+ }
+@@ -368,7 +387,7 @@
+ const char *userid, char *result)
+ {
+ char *domain;
+- size_t userlen;
++ size_t userlen, resultlen;
+
+ /* Blank the result, just in case */
+ result[0] = '\0';
+@@ -412,12 +431,18 @@
+ /* Other Users namespace */
+ else if (!strncmp(name, "user", 4) &&
+ (name[4] == '\0' || name[4] == '.')) {
++ size_t prefixlen = strlen(namespace->prefix[NAMESPACE_USER]);
++
++ if ((prefixlen > MAX_MAILBOX_NAME) ||
++ ((name[4] == '.') &&
++ ((prefixlen+1+strlen(name+5)) > MAX_MAILBOX_NAME)))
++ return IMAP_MAILBOX_BADNAME;
++
+ sprintf(result, "%.*s",
+- (int) strlen(namespace->prefix[NAMESPACE_USER])-1,
+- namespace->prefix[NAMESPACE_USER]);
++ prefixlen-1, namespace->prefix[NAMESPACE_USER]);
++ resultlen = strlen(result);
+ if (name[4] == '.') {
+- sprintf(result+strlen(result), "%c%s",
+- namespace->hier_sep, name+5);
++ sprintf(result+resultlen, "%c%s", namespace->hier_sep, name+5);
+ }
+ }
+
+Index: imap/seen_local.c
+--- imap/seen_local.c.orig 2004-01-22 22:17:10 +0100
++++ imap/seen_local.c 2005-03-04 16:49:14 +0100
+@@ -145,8 +145,8 @@
+ unsigned long left;
+ unsigned long length, namelen;
+
+- strcpy(fnamebuf, seendb->mailbox->path);
+- strcat(fnamebuf, FNAME_SEEN);
++ strlcpy(fnamebuf, seendb->mailbox->path, sizeof(fnamebuf));
++ strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf));
+
+ /* Lock the database */
+ if (!seendb->mailbox->seen_lock_count) {
+@@ -279,10 +279,10 @@
+ num_iov = 0;
+
+ if (replace) {
+- strcpy(fnamebuf, seendb->mailbox->path);
+- strcat(fnamebuf, FNAME_SEEN);
+- strcpy(newfnamebuf, fnamebuf);
+- strcat(newfnamebuf, ".NEW");
++ strlcpy(fnamebuf, seendb->mailbox->path, sizeof(fnamebuf));
++ strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf));
++ strlcpy(newfnamebuf, fnamebuf, sizeof(newfnamebuf));
++ strlcat(newfnamebuf, ".NEW", sizeof(newfnamebuf));
+
+ writefd = open(newfnamebuf, O_RDWR|O_TRUNC|O_CREAT, 0666);
+ if (writefd == -1) {
+@@ -390,8 +390,8 @@
+ char fnamebuf[MAX_MAILBOX_PATH+1];
+ int fd;
+
+- strcpy(fnamebuf, mailbox->path);
+- strcat(fnamebuf, FNAME_SEEN);
++ strlcpy(fnamebuf, mailbox->path, sizeof(fnamebuf));
++ strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf));
+
+ fd = open(fnamebuf, O_RDWR|O_TRUNC|O_CREAT, 0666);
+ if (fd == -1) {
+@@ -412,8 +412,8 @@
+ int r;
+ const char *lockfailaction;
+
+- strcpy(fnamebuf, mailbox->path);
+- strcat(fnamebuf, FNAME_SEEN);
++ strlcpy(fnamebuf, mailbox->path, sizeof(fnamebuf));
++ strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf));
+
+ fd = open(fnamebuf, O_RDWR, 0666);
+ if (fd == -1) {
+@@ -441,10 +441,10 @@
+ char oldfname[MAX_MAILBOX_PATH+1];
+ char newfname[MAX_MAILBOX_PATH+1];
+
+- strcpy(oldfname, oldmailbox->path);
+- strcat(oldfname, FNAME_SEEN);
+- strcpy(newfname, newmailbox->path);
+- strcat(newfname, FNAME_SEEN);
++ strlcpy(oldfname, oldmailbox->path, sizeof(oldfname));
++ strlcat(oldfname, FNAME_SEEN, sizeof(oldfname));
++ strlcpy(newfname, newmailbox->path, sizeof(newfname));
++ strlcat(newfname, FNAME_SEEN, sizeof(newfname));
+ return mailbox_copyfile(oldfname, newfname, 0);
+ }
+
+@@ -567,8 +567,8 @@
+ time(&now);
+ nowplus1day = now + 24*60*60;
+
+- strcpy(fnamebuf, mailbox->path);
+- strcat(fnamebuf, FNAME_SEEN);
++ strlcpy(fnamebuf, mailbox->path, sizeof(fnamebuf));
++ strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf));
+
+ fd = open(fnamebuf, O_RDWR, 0666);
+ if (fd == -1) {
+@@ -722,8 +722,8 @@
+ r = 0;
+
+ if (newiov_dirty) {
+- strcpy(newfnamebuf, fnamebuf);
+- strcat(newfnamebuf, ".NEW");
++ strlcpy(newfnamebuf, fnamebuf, sizeof(newfnamebuf));
++ strlcat(newfnamebuf, ".NEW", sizeof(newfnamebuf));
+
+ writefd = open(newfnamebuf, O_RDWR|O_TRUNC|O_CREAT, 0666);
+ if (writefd == -1) {
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/imapd/imapd.spec
============================================================================
$ cvs diff -u -r1.126.2.2 -r1.126.2.3 imapd.spec
--- openpkg-src/imapd/imapd.spec 29 Nov 2004 15:34:41 -0000
1.126.2.2
+++ openpkg-src/imapd/imapd.spec 4 Mar 2005 16:11:59 -0000
1.126.2.3
@@ -34,7 +34,7 @@
Group: Mail
License: BSD
Version: 2.2.8
-Release: 2.2.1
+Release: 2.2.2
# package options
%option with_fsl yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
