Sun Jul 13 16:26:17 2008 UTC ()
Add patch for IMAP tag arbitrary code execution in the perdition IMAP server
(CVE-2007-5740).
(tonnerre)
diff -r1.10 -r1.11 pkgsrc/mail/perdition/Makefile
diff -r1.6 -r1.7 pkgsrc/mail/perdition/distinfo
diff -r0 -r1.1 pkgsrc/mail/perdition/patches/patch-ah
--- pkgsrc/mail/perdition/Makefile 2008/06/12 02:14:35 1.10
+++ pkgsrc/mail/perdition/Makefile 2008/07/13 16:26:17 1.11
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2008/06/12 02:14:35 joerg Exp $
+# $NetBSD: Makefile,v 1.11 2008/07/13 16:26:17 tonnerre Exp $
#
-PKGREVISION= 7
+PKGREVISION= 8
PERDITION_COMMENT= main program
--- pkgsrc/mail/perdition/distinfo 2007/03/02 11:37:33 1.6
+++ pkgsrc/mail/perdition/distinfo 2008/07/13 16:26:17 1.7
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2007/03/02 11:37:33 grant Exp $
+$NetBSD: distinfo,v 1.7 2008/07/13 16:26:17 tonnerre Exp $
SHA1 (perdition-1.17.tar.gz) = 5e04f172db4a7ee2af5b7a28c19c231f955243fc
RMD160 (perdition-1.17.tar.gz) = cc3c4679390132ece6858eca6483ffddead568e4
@@ -10,3 +10,4 @@
SHA1 (patch-ae) = a3a41d06a7a63d479f4c8de29b6d7ee2a745dd87
SHA1 (patch-af) = 0fa5a853c69ff6869e3a752fc592228d6e782079
SHA1 (patch-ag) = 350cfc64f98611455292d4d052463e6828588338
+SHA1 (patch-ah) = 6a88d3c73cc5e5b88a58b057c58fdbe182f2d0d4
$NetBSD: patch-ah,v 1.1 2008/07/13 16:26:17 tonnerre Exp $
--- perdition/imap4_in.c.orig 2005-06-22 07:50:05.000000000 +0200
+++ perdition/imap4_in.c
@@ -277,6 +277,76 @@ int imap4_in_authenticate(
#endif /* WITH_PAM_SUPPORT */
+/**********************************************************************
+ * imap4_in_verify_tag_str
+ * Verify that a tag is valid
+ * Pre: tag: io_t to write to
+ * Return 0 on success
+ * -1 otherwise
+ **********************************************************************/
+
+/* Excerpts from rfc3501, Section 9. Formal Syntax
+ *
+ * The ASCII NUL character, %x00, MUST NOT be used at any time.
+ *
+ * tag = 1*<any ASTRING-CHAR except "+">
+ *
+ * ATOM-CHAR = <any CHAR except atom-specials>
+ *
+ * atom-specials = "(" / ")" / "{" / SP / CTL / list-wildcards /
+ * quoted-specials / resp-specials
+ *
+ * list-wildcards = "%" / "*"
+ *
+ * quoted-specials = DQUOTE / "\"
+ *
+ * resp-specials = "]"
+ *
+ * Excerpts from rfc2060, Section 9. Formal Syntax
+ *
+ * CHAR ::= <any 7-bit US-ASCII character except NUL,
+ * 0x01 - 0x7f>
+ *
+ * CTL ::= <any ASCII control character and DEL,
+ * 0x00 - 0x1f, 0x7f>
+ */
+
+static int imap4_in_verify_tag_str(const token_t *tag)
+{
+ unsigned char *tag_str;
+ size_t tag_str_len, i;
+
+ tag_str_len = token_len(tag);
+
+ if (!tag_str_len)
+ return -1;
+
+ tag_str = token_buf(tag);
+
+ for (i = 0; i < tag_str_len; i++) {
+ /* Must be ASCII, must not be a control character */
+ if (tag_str[i] <= 0x1f || tag_str[i] >= 0x7f)
+ return -1;
+ /* Must not be other reserved characters */
+ switch(tag_str[i]) {
+ case '\0':
+ case '(':
+ case ')':
+ case '{':
+ case ' ':
+ case '%':
+ case '*':
+ case '"':
+ case '\\':
+ case ']':
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+
/**********************************************************************
* imap4_in_get_pw
@@ -337,19 +407,20 @@ int imap4_in_get_pw(io_t *io, struct pas
break;
}
+ if (imap4_in_verify_tag_str(tag)) {
+ token_assign(tag, (unsigned char *)strdup(IMAP4_UNTAGGED),
+ strlen(IMAP4_UNTAGGED), 0);
+ __IMAP4_IN_BAD("Invalid tag, mate");
+ goto loop;
+ }
+
if((q=vanessa_queue_pop(q, (void **)&tag))==NULL){
VANESSA_LOGGER_DEBUG("vanessa_queue_pop 1");
break;
}
if(token_is_eol(tag)){
- if(token_is_null(tag)){
- token_assign(tag, strdup(IMAP4_BAD), strlen(IMAP4_BAD), 0);
- __IMAP4_IN_BAD("Null tag, mate");
- }
- else {
- __IMAP4_IN_BAD("Missing command, mate");
- }
+ __IMAP4_IN_BAD("Missing command, mate");
goto loop;
}