Full patch for cve-2009-3235 for cyrus-imap-2.2. One hunk of bc_eval.c
doesn't apply to the older version (no BC_BODY handling).
I will commit it to the trunk in a few minutes.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Index: sieve/script.c
===================================================================
--- sieve/script.c (revision 842)
+++ sieve/script.c (working copy)
@@ -526,9 +526,9 @@
if ((ret != SIEVE_OK) && interp->err) {
char buf[1024];
if (lastaction == -1) /* we never executed an action */
- sprintf(buf, "%s", errmsg ? errmsg : sieve_errstr(ret));
+ snprintf(buf, sizeof(buf), "%s", errmsg ? errmsg : sieve_errstr(ret));
else
- sprintf(buf, "%s: %s", action_to_string(lastaction),
+ snprintf(buf, sizeof(buf), "%s: %s", action_to_string(lastaction),
errmsg ? errmsg : sieve_errstr(ret));
ret |= interp->execute_err(buf, interp->interp_context,
Index: sieve/sieve.y
===================================================================
--- sieve/sieve.y (revision 842)
+++ sieve/sieve.y (working copy)
@@ -923,7 +923,7 @@
else if (!strcmp(r, "ne")) {return NE;}
else if (!strcmp(r, "eq")) {return EQ;}
else{
- sprintf(errbuf, "flag '%s': not a valid relational operation", r);
+ snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational operation", r);
yyerror(errbuf);
return -1;
}
Index: sieve/bc_eval.c
===================================================================
--- sieve/bc_eval.c (revision 842)
+++ sieve/bc_eval.c (working copy)
@@ -440,7 +440,7 @@
int comparator=ntohl(bc[i+3].value);
int apart=ntohl(bc[i+4].value);
int count=0;
- char scount[3];
+ char scount[21];
int isReg = (match==B_REGEX);
int ctag = 0;
regex_t *reg;
@@ -608,7 +608,7 @@
int relation=ntohl(bc[i+2].value);
int comparator=ntohl(bc[i+3].value);
int count=0;
- char scount[3];
+ char scount[21];
int isReg = (match==B_REGEX);
int ctag = 0;
regex_t *reg;
