[pkgsrc/trunk]: pkgsrc/mail/perdition Add patch for IMAP tag arbitrary code e...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/mail/perdition Add patch for IMAP tag arbitrary code e...
From: tonnerre <tonnerre%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:18:42 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/076478378bc5
branches:  trunk
changeset: 544160:076478378bc5
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Sun Jul 13 16:26:17 2008 +0000

description:
Add patch for IMAP tag arbitrary code execution in the perdition IMAP server
(CVE-2007-5740).

diffstat:

 mail/perdition/Makefile         |    4 +-
 mail/perdition/distinfo         |    3 +-
 mail/perdition/patches/patch-ah |  109 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+), 3 deletions(-)

diffs (140 lines):

diff -r 3eb958af07f8 -r 076478378bc5 mail/perdition/Makefile
--- a/mail/perdition/Makefile   Sun Jul 13 16:15:04 2008 +0000
+++ b/mail/perdition/Makefile   Sun Jul 13 16:26:17 2008 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2008/06/12 02:14:35 joerg Exp $
+# $NetBSD: Makefile,v 1.11 2008/07/13 16:26:17 tonnerre Exp $
 #
 
-PKGREVISION=           7
+PKGREVISION=           8
 
 PERDITION_COMMENT=     main program
 
diff -r 3eb958af07f8 -r 076478378bc5 mail/perdition/distinfo
--- a/mail/perdition/distinfo   Sun Jul 13 16:15:04 2008 +0000
+++ b/mail/perdition/distinfo   Sun Jul 13 16:26:17 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2007/03/02 11:37:33 grant Exp $
+$NetBSD: distinfo,v 1.7 2008/07/13 16:26:17 tonnerre Exp $
 
 SHA1 (perdition-1.17.tar.gz) = 5e04f172db4a7ee2af5b7a28c19c231f955243fc
 RMD160 (perdition-1.17.tar.gz) = cc3c4679390132ece6858eca6483ffddead568e4
@@ -10,3 +10,4 @@
 SHA1 (patch-ae) = a3a41d06a7a63d479f4c8de29b6d7ee2a745dd87
 SHA1 (patch-af) = 0fa5a853c69ff6869e3a752fc592228d6e782079
 SHA1 (patch-ag) = 350cfc64f98611455292d4d052463e6828588338
+SHA1 (patch-ah) = 6a88d3c73cc5e5b88a58b057c58fdbe182f2d0d4
diff -r 3eb958af07f8 -r 076478378bc5 mail/perdition/patches/patch-ah
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/perdition/patches/patch-ah   Sun Jul 13 16:26:17 2008 +0000
@@ -0,0 +1,109 @@
+$NetBSD: patch-ah,v 1.1 2008/07/13 16:26:17 tonnerre Exp $
+
+--- perdition/imap4_in.c.orig  2005-06-22 07:50:05.000000000 +0200
++++ perdition/imap4_in.c
+@@ -277,6 +277,76 @@ int imap4_in_authenticate(
+ 
+ #endif /* WITH_PAM_SUPPORT */
+ 
++/**********************************************************************
++ * imap4_in_verify_tag_str
++ * Verify that a tag is valid
++ * Pre: tag: io_t to write to
++ * Return 0 on success
++ *        -1 otherwise
++ **********************************************************************/
++
++/* Excerpts from rfc3501, Section 9. Formal Syntax
++ *
++ * The ASCII NUL character, %x00, MUST NOT be used at any time.
++ *
++ * tag             = 1*<any ASTRING-CHAR except "+">
++ *
++ * ATOM-CHAR       = <any CHAR except atom-specials>
++ *
++ * atom-specials   = "(" / ")" / "{" / SP / CTL / list-wildcards /
++ *                quoted-specials / resp-specials
++ *
++ * list-wildcards  = "%" / "*"
++ *
++ * quoted-specials = DQUOTE / "\"
++ *
++ * resp-specials   = "]"
++ *
++ * Excerpts from rfc2060, Section 9. Formal Syntax
++ *
++ * CHAR            ::= <any 7-bit US-ASCII character except NUL,
++ *                      0x01 - 0x7f>
++ *
++ * CTL             ::= <any ASCII control character and DEL,
++ *                         0x00 - 0x1f, 0x7f>
++ */
++
++static int imap4_in_verify_tag_str(const token_t *tag)
++{
++      unsigned char *tag_str;
++      size_t tag_str_len, i;
++
++      tag_str_len = token_len(tag);
++
++      if (!tag_str_len)
++              return -1;
++
++      tag_str = token_buf(tag);
++
++      for (i = 0; i < tag_str_len; i++) {
++              /* Must be ASCII, must not be a control character */
++              if (tag_str[i] <= 0x1f || tag_str[i] >= 0x7f)
++                      return -1;
++              /* Must not be other reserved characters */
++              switch(tag_str[i]) {
++                      case '\0':
++                      case '(':
++                      case ')':
++                      case '{':
++                      case ' ':
++                      case '%':
++                      case '*':
++                      case '"':
++                      case '\\':
++                      case ']':
++                              return -1;
++              }
++      }
++
++      return 0;
++}
++
++
+ 
+ /**********************************************************************
+  * imap4_in_get_pw
+@@ -337,19 +407,20 @@ int imap4_in_get_pw(io_t *io, struct pas
+       break;
+     }
+ 
++    if (imap4_in_verify_tag_str(tag)) {
++      token_assign(tag, (unsigned char *)strdup(IMAP4_UNTAGGED),
++                 strlen(IMAP4_UNTAGGED), 0);
++      __IMAP4_IN_BAD("Invalid tag, mate");
++      goto loop;
++    }
++
+     if((q=vanessa_queue_pop(q, (void **)&tag))==NULL){
+       VANESSA_LOGGER_DEBUG("vanessa_queue_pop 1");
+       break;
+     }
+ 
+     if(token_is_eol(tag)){
+-      if(token_is_null(tag)){
+-      token_assign(tag, strdup(IMAP4_BAD), strlen(IMAP4_BAD), 0);
+-      __IMAP4_IN_BAD("Null tag, mate");
+-      }
+-      else {
+-      __IMAP4_IN_BAD("Missing command, mate");
+-      }
++      __IMAP4_IN_BAD("Missing command, mate");
+       goto loop;
+     }
+

Prev by Date: [pkgsrc/trunk]: pkgsrc/sysutils/wbm-virtual-server Fix PLIST. Bump revision.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Updated devel/pwlib to 1.8.3nb8.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/sysutils/wbm-virtual-server Fix PLIST. Bump revision.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated devel/pwlib to 1.8.3nb8.
Indexes:

Home | Main Index | Thread Index | Old Index