mutt - CVE-2006-3242

Kacper Kornet kornet w camk.edu.pl
Śro, 12 Lip 2006, 18:43:23 CEST


Witam,

W AC jest chyba dziurawy mutt (CVE-2006-3242). Podsyłam łatkę
poprawiającą to.

Pozdrawiam,
-- 
  Kacper Kornet
-------------- następna część ---------
Index: mutt.spec
===================================================================
RCS file: /cvsroot/SPECS/mutt.spec,v
retrieving revision 1.183
diff -u -r1.183 mutt.spec
--- mutt.spec	22 Aug 2005 13:12:02 -0000	1.183
+++ mutt.spec	12 Jul 2006 16:32:53 -0000
@@ -20,7 +20,7 @@
 Summary(uk):	đĎŰÔĎ×Á ËĚŚ¤ÎÔÓŘËÁ ĐŇĎÇŇÁÍÁ Mutt
 Name:		mutt
 Version:	1.4.2.1
-Release:	10
+Release:	10.1
 Epoch:		6
 License:	GPL
 Group:		Applications/Mail
@@ -54,6 +54,7 @@
 Patch22:	%{name}-kill_warnings.patch
 Patch23:	%{name}-Muttrc_mbox_path.patch
 Patch24:	%{name}-po.patch
+Patch25:	%{name}-CVE-2006-3242.patch
 URL:		http://www.mutt.org/
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -160,6 +161,7 @@
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
 
 # force regeneration (manual.sgml is modified by some patches)
 rm -f doc/{manual*.html,manual.txt}
-------------- następna część ---------
===================================================================
RCS file: /var/lib/cvsd/cvsroots/mutt/imap/browse.c,v
retrieving revision 1.34.2.2
retrieving revision 1.34.2.3
diff -u -r1.34.2.2 -r1.34.2.3
--- mutt/imap/browse.c	2002/02/26 10:38:56	1.34.2.2
+++ mutt/imap/browse.c	2006/06/19 18:20:00	1.34.2.3
@@ -452,7 +452,7 @@
 	    if (*s == '\"')
 	    {
 	      s++;
-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
 	      {
 		if (*s == '\\')
 		  s++;
@@ -463,12 +463,14 @@
 		s++;
 	    }
 	    else
-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
 	      {
 		ns[n++] = *s;
 		s++;
 	      }
 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
 	    /* delim? */
 	    s = imap_next_word (s);
 	    /* delimiter is meaningless if namespace is "". Why does


Więcej informacji o liście dyskusyjnej pld-devel-pl