Sun Jul 13 16:26:17 2008 UTC ()
Add patch for IMAP tag arbitrary code execution in the perdition IMAP server
(CVE-2007-5740).
(tonnerre)
diff -r1.10 -r1.11 pkgsrc/mail/perdition/Makefile
diff -r1.6 -r1.7 pkgsrc/mail/perdition/distinfo
diff -r0 -r1.1 pkgsrc/mail/perdition/patches/patch-ah
--- pkgsrc/mail/perdition/Makefile 2008/06/12 02:14:35 1.10
+++ pkgsrc/mail/perdition/Makefile 2008/07/13 16:26:17 1.11
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.10 2008/06/12 02:14:35 joerg Exp $ | | 1 | # $NetBSD: Makefile,v 1.11 2008/07/13 16:26:17 tonnerre Exp $ |
| 2 | # | | 2 | # |
| 3 | | | 3 | |
| 4 | PKGREVISION= 7 | | 4 | PKGREVISION= 8 |
| 5 | | | 5 | |
| 6 | PERDITION_COMMENT= main program | | 6 | PERDITION_COMMENT= main program |
| 7 | | | 7 | |
| 8 | PKG_DESTDIR_SUPPORT= user-destdir | | 8 | PKG_DESTDIR_SUPPORT= user-destdir |
| 9 | | | 9 | |
| 10 | .include "options.mk" | | 10 | .include "options.mk" |
| 11 | | | 11 | |
| 12 | OWN_DIRS+= ${PKG_SYSCONFDIR} | | 12 | OWN_DIRS+= ${PKG_SYSCONFDIR} |
| 13 | .for f in Makefile.popmap perdition.conf popmap popmap.re | | 13 | .for f in Makefile.popmap perdition.conf popmap popmap.re |
| 14 | CONF_FILES+= ${EGDIR}/perdition/$f ${PKG_SYSCONFDIR}/${f:.popmap=} | | 14 | CONF_FILES+= ${EGDIR}/perdition/$f ${PKG_SYSCONFDIR}/${f:.popmap=} |
| 15 | .endfor | | 15 | .endfor |
| 16 | RCD_SCRIPTS+= perdition.imap4 perdition.imap4s perdition.pop3 perdition.pop3s | | 16 | RCD_SCRIPTS+= perdition.imap4 perdition.imap4s perdition.pop3 perdition.pop3s |
| 17 | | | 17 | |
--- pkgsrc/mail/perdition/distinfo 2007/03/02 11:37:33 1.6
+++ pkgsrc/mail/perdition/distinfo 2008/07/13 16:26:17 1.7
| @@ -1,12 +1,13 @@ | | | @@ -1,12 +1,13 @@ |
| 1 | $NetBSD: distinfo,v 1.6 2007/03/02 11:37:33 grant Exp $ | | 1 | $NetBSD: distinfo,v 1.7 2008/07/13 16:26:17 tonnerre Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (perdition-1.17.tar.gz) = 5e04f172db4a7ee2af5b7a28c19c231f955243fc | | 3 | SHA1 (perdition-1.17.tar.gz) = 5e04f172db4a7ee2af5b7a28c19c231f955243fc |
| 4 | RMD160 (perdition-1.17.tar.gz) = cc3c4679390132ece6858eca6483ffddead568e4 | | 4 | RMD160 (perdition-1.17.tar.gz) = cc3c4679390132ece6858eca6483ffddead568e4 |
| 5 | Size (perdition-1.17.tar.gz) = 552149 bytes | | 5 | Size (perdition-1.17.tar.gz) = 552149 bytes |
| 6 | SHA1 (patch-aa) = 17c6bf55f77187cad59f779e6fbcd85d6921eab1 | | 6 | SHA1 (patch-aa) = 17c6bf55f77187cad59f779e6fbcd85d6921eab1 |
| 7 | SHA1 (patch-ab) = 7d7b8458c104437e83934b3b0fea573bd54aced0 | | 7 | SHA1 (patch-ab) = 7d7b8458c104437e83934b3b0fea573bd54aced0 |
| 8 | SHA1 (patch-ac) = 5096afa901f6f5766d9a8b0d2481c8f9c1356fe1 | | 8 | SHA1 (patch-ac) = 5096afa901f6f5766d9a8b0d2481c8f9c1356fe1 |
| 9 | SHA1 (patch-ad) = 7b53169a8571141016fa79e1fbf55439579c4d77 | | 9 | SHA1 (patch-ad) = 7b53169a8571141016fa79e1fbf55439579c4d77 |
| 10 | SHA1 (patch-ae) = a3a41d06a7a63d479f4c8de29b6d7ee2a745dd87 | | 10 | SHA1 (patch-ae) = a3a41d06a7a63d479f4c8de29b6d7ee2a745dd87 |
| 11 | SHA1 (patch-af) = 0fa5a853c69ff6869e3a752fc592228d6e782079 | | 11 | SHA1 (patch-af) = 0fa5a853c69ff6869e3a752fc592228d6e782079 |
| 12 | SHA1 (patch-ag) = 350cfc64f98611455292d4d052463e6828588338 | | 12 | SHA1 (patch-ag) = 350cfc64f98611455292d4d052463e6828588338 |
| | | 13 | SHA1 (patch-ah) = 6a88d3c73cc5e5b88a58b057c58fdbe182f2d0d4 |
$NetBSD: patch-ah,v 1.1 2008/07/13 16:26:17 tonnerre Exp $
--- perdition/imap4_in.c.orig 2005-06-22 07:50:05.000000000 +0200
+++ perdition/imap4_in.c
@@ -277,6 +277,76 @@ int imap4_in_authenticate(
#endif /* WITH_PAM_SUPPORT */
+/**********************************************************************
+ * imap4_in_verify_tag_str
+ * Verify that a tag is valid
+ * Pre: tag: io_t to write to
+ * Return 0 on success
+ * -1 otherwise
+ **********************************************************************/
+
+/* Excerpts from rfc3501, Section 9. Formal Syntax
+ *
+ * The ASCII NUL character, %x00, MUST NOT be used at any time.
+ *
+ * tag = 1*<any ASTRING-CHAR except "+">
+ *
+ * ATOM-CHAR = <any CHAR except atom-specials>
+ *
+ * atom-specials = "(" / ")" / "{" / SP / CTL / list-wildcards /
+ * quoted-specials / resp-specials
+ *
+ * list-wildcards = "%" / "*"
+ *
+ * quoted-specials = DQUOTE / "\"
+ *
+ * resp-specials = "]"
+ *
+ * Excerpts from rfc2060, Section 9. Formal Syntax
+ *
+ * CHAR ::= <any 7-bit US-ASCII character except NUL,
+ * 0x01 - 0x7f>
+ *
+ * CTL ::= <any ASCII control character and DEL,
+ * 0x00 - 0x1f, 0x7f>
+ */
+
+static int imap4_in_verify_tag_str(const token_t *tag)
+{
+ unsigned char *tag_str;
+ size_t tag_str_len, i;
+
+ tag_str_len = token_len(tag);
+
+ if (!tag_str_len)
+ return -1;
+
+ tag_str = token_buf(tag);
+
+ for (i = 0; i < tag_str_len; i++) {
+ /* Must be ASCII, must not be a control character */
+ if (tag_str[i] <= 0x1f || tag_str[i] >= 0x7f)
+ return -1;
+ /* Must not be other reserved characters */
+ switch(tag_str[i]) {
+ case '\0':
+ case '(':
+ case ')':
+ case '{':
+ case ' ':
+ case '%':
+ case '*':
+ case '"':
+ case '\\':
+ case ']':
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+
/**********************************************************************
* imap4_in_get_pw
@@ -337,19 +407,20 @@ int imap4_in_get_pw(io_t *io, struct pas
break;
}
+ if (imap4_in_verify_tag_str(tag)) {
+ token_assign(tag, (unsigned char *)strdup(IMAP4_UNTAGGED),
+ strlen(IMAP4_UNTAGGED), 0);
+ __IMAP4_IN_BAD("Invalid tag, mate");
+ goto loop;
+ }
+
if((q=vanessa_queue_pop(q, (void **)&tag))==NULL){
VANESSA_LOGGER_DEBUG("vanessa_queue_pop 1");
break;
}
if(token_is_eol(tag)){
- if(token_is_null(tag)){
- token_assign(tag, strdup(IMAP4_BAD), strlen(IMAP4_BAD), 0);
- __IMAP4_IN_BAD("Null tag, mate");
- }
- else {
- __IMAP4_IN_BAD("Missing command, mate");
- }
+ __IMAP4_IN_BAD("Missing command, mate");
goto loop;
}