Bug#510918: intent to NMU

Thu, 15 Jan 2009 10:13:37 -0800 

Hi,
attached is a patch for a 0-day NMU that fixes this issue.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u uw-imap-2007b~dfsg/debian/changelog uw-imap-2007b~dfsg/debian/changelog
--- uw-imap-2007b~dfsg/debian/changelog
+++ uw-imap-2007b~dfsg/debian/changelog
@@ -1,3 +1,13 @@
+uw-imap (8:2007b~dfsg-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix denial of service vulnerability because of rfc822_output_char() not
+    checking for a full buffer and writing one byte ahead the buffer, later
+    resulting in memcpy getting called with a possible size argument of -1
+    (0003_CVE-2008-5514.patch; Closes: #510918)
+
+ -- Nico Golde <n...@debian.org>  Thu, 15 Jan 2009 19:00:01 +0100
+
 uw-imap (8:2007b~dfsg-1) unstable; urgency=medium
 
   * Revert to older upstream 2007b, and instead bump epoc, as simplest
diff -u uw-imap-2007b~dfsg/debian/patches/series uw-imap-2007b~dfsg/debian/patches/series
--- uw-imap-2007b~dfsg/debian/patches/series
+++ uw-imap-2007b~dfsg/debian/patches/series
@@ -1,5 +1,6 @@
 0001_insecure_strcmp.patch
 0002_no_close_quit_netstream.patch
+0003_CVE-2008-5514.patch
 1001_shlibs.patch
 1003_maildir.patch
 2002_mailspool.patch
only in patch2:
unchanged:
--- uw-imap-2007b~dfsg.orig/debian/patches/0003_CVE-2008-5514.patch
+++ uw-imap-2007b~dfsg/debian/patches/0003_CVE-2008-5514.patch
@@ -0,0 +1,20 @@
+--- a/src/c-client/rfc822.c	2008-05-15 00:34:51.000000000 +0200
++++ b/src/c-client/rfc822.c	2008-12-17 00:52:15.000000000 +0100
+@@ -1351,6 +1351,7 @@
+ 
+ static long rfc822_output_char (RFC822BUFFER *buf,int c)
+ {
++  if ((buf->cur == buf->end) && !rfc822_output_flush (buf)) return NIL;
+   *buf->cur++ = c;		/* add character, soutr buffer if full */
+   return (buf->cur == buf->end) ? rfc822_output_flush (buf) : LONGT;
+ }
+@@ -1374,7 +1375,8 @@
+       len -= i;
+     }
+ 				/* soutr buffer now if full */
+-    if (len && !rfc822_output_flush (buf)) return NIL;
++    if ((len || (buf->cur == buf->end)) && !rfc822_output_flush (buf))
++      return NIL;
+   }
+   return LONGT;
+ }

Attachment: pgpTKPNlIjJDo.pgp
Description: PGP signature

Reply via email to