aboutsummaryrefslogtreecommitdiffstats
path: root/mail/mutt
diff options
context:
space:
mode:
authorshaun <shaun@FreeBSD.org>2006-06-30 22:38:26 +0800
committershaun <shaun@FreeBSD.org>2006-06-30 22:38:26 +0800
commitc0ad83dda68e6b69404ee81f0d3096fc3c975317 (patch)
tree2a76c146e68b4725dba0f3af23569ff9f5ddf79f /mail/mutt
parent4f24aea82c3c9cde3bde3ec262d1826b2b2a5c6d (diff)
downloadfreebsd-ports-gnome-c0ad83dda68e6b69404ee81f0d3096fc3c975317.tar.gz
freebsd-ports-gnome-c0ad83dda68e6b69404ee81f0d3096fc3c975317.tar.zst
freebsd-ports-gnome-c0ad83dda68e6b69404ee81f0d3096fc3c975317.zip
Fix IMAP buffer overflow:
http://www.securityfocus.com/bid/18642 PR: ports/99614 [1], ports/99610 [2] Submitted by: Udo Schweigert <udo.schweigert@siemens.com> (maintainer) [1], J.P. Dinger <jpd@vvtp.tudelft.nl> [2] Approved by: ahze (mentor)
Diffstat (limited to 'mail/mutt')
-rw-r--r--mail/mutt/Makefile2
-rw-r--r--mail/mutt/files/patch-imap-browse.c28
2 files changed, 29 insertions, 1 deletions
diff --git a/mail/mutt/Makefile b/mail/mutt/Makefile
index 0aacb1f50588..51fb7ee32d85 100644
--- a/mail/mutt/Makefile
+++ b/mail/mutt/Makefile
@@ -8,7 +8,7 @@
PORTNAME= mutt
PORTVERSION= 1.4.2.1
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES+= mail ipv6
MASTER_SITES= ftp://ftp.mutt.org/mutt/ \
ftp://ftp.fu-berlin.de/pub/unix/mail/mutt/ \
diff --git a/mail/mutt/files/patch-imap-browse.c b/mail/mutt/files/patch-imap-browse.c
new file mode 100644
index 000000000000..86cda3140e69
--- /dev/null
+++ b/mail/mutt/files/patch-imap-browse.c
@@ -0,0 +1,28 @@
+--- imap/browse.c.orig
++++ imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+ if (*s == '\"')
+ {
+ s++;
+- while (*s && *s != '\"')
++ while (*s && *s != '\"' && n < sizeof (ns) - 1)
+ {
+ if (*s == '\\')
+ s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+ s++;
+ }
+ else
+- while (*s && !ISSPACE (*s))
++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ {
+ ns[n++] = *s;
+ s++;
+ }
+ ns[n] = '\0';
++ if (n == sizeof (ns) - 1)
++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ /* delim? */
+ s = imap_next_word (s);
+ /* delimiter is meaningless if namespace is "". Why does
+