Subject: CVS commit: pkgsrc/mail/imap-uw
To: None <pkgsrc-changes@NetBSD.org>
From: Lubomir Sedlacik <salo@netbsd.org>
List: pkgsrc-changes
Date: 10/05/2005 15:49:44
Module Name:	pkgsrc
Committed By:	salo
Date:		Wed Oct  5 15:49:44 UTC 2005

Modified Files:
	pkgsrc/mail/imap-uw: Makefile buildlink3.mk distinfo
Added Files:
	pkgsrc/mail/imap-uw/patches: patch-an

Log Message:
Security fix for SA17062:

"A vulnerability in UW-imapd can be exploited by malicious users to
 cause a DoS (Denial of Service) or compromise a vulnerable system.

 The vulnerability is caused due to a boundary error in the
 "mail_valid_net_parse_work()" function when copying the user supplied
 mailbox name to a stack buffer. This can be exploited to cause a
 stack-based buffer overflow via a specially crafted mailbox name that
 contains an single opening double-quote character, without the
 corresponding closing double-quote.

 Successful exploitation allows arbitrary code execution, but requires
 valid credentials on the IMAP server."

http://secunia.com/advisories/17062/
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933

Patch from 2004g.


To generate a diff of this commit:
cvs rdiff -r1.101 -r1.102 pkgsrc/mail/imap-uw/Makefile
cvs rdiff -r1.4 -r1.5 pkgsrc/mail/imap-uw/buildlink3.mk
cvs rdiff -r1.24 -r1.25 pkgsrc/mail/imap-uw/distinfo
cvs rdiff -r0 -r1.1 pkgsrc/mail/imap-uw/patches/patch-an

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.