From shaun@inerd.com  Sat Jul  1 20:30:46 2006
Return-Path: <shaun@inerd.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 15D8D16A518
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Jul 2006 20:30:46 +0000 (UTC)
	(envelope-from shaun@inerd.com)
Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124])
	by mx1.FreeBSD.org (Postfix) with SMTP id 134C2452E5
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Jul 2006 20:11:33 +0000 (GMT)
	(envelope-from shaun@inerd.com)
Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03])
	by dione.picobyte.net (Postfix) with ESMTP
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  1 Jul 2006 21:11:32 +0100 (BST)
Message-Id: <1151784692.15503@charon.picobyte.net>
Date: Sat, 1 Jul 2006 21:11:32 +0100
From: Shaun Amott <shaun@FreeBSD.org>
Reply-To: Shaun Amott <shaun@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: japanese/mutt-devel: Fix IMAP buffer overflow vulnerability
X-Send-Pr-Version: 3.113
X-GNATS-Notify: st@be.to

>Number:         99698
>Category:       ports
>Synopsis:       japanese/mutt-devel: Fix IMAP buffer overflow vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    shaun
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 01 20:40:16 GMT 2006
>Closed-Date:    Mon Jul 03 15:44:45 GMT 2006
>Last-Modified:  Mon Jul 03 15:44:45 GMT 2006
>Originator:     Shaun Amott
>Release:        FreeBSD 6.1-STABLE i386
>Organization:
>Environment:

>Description:

Add patch to fix IMAP buffer overflow vulnerability:
  http://www.vuxml.org/freebsd/d2a43243-087b-11db-bc36-0008743bf21a.html

>How-To-Repeat:

>Fix:

--- mutt-devel.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/japanese/mutt-devel/Makefile,v
retrieving revision 1.59
diff -u -r1.59 Makefile
--- Makefile	9 May 2006 00:18:01 -0000	1.59
+++ Makefile	1 Jul 2006 20:06:41 -0000
@@ -9,7 +9,7 @@
 
 PORTNAME=	mutt-devel
 PORTVERSION=	${VERSION}.j${JP_VERSION}
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	japanese mail
 MASTER_SITES=	http://www.emaillab.org/mutt/1.5/ \
 		http://my.reset.jp/~iwashita/mutt/distfiles/ \
Index: files/patch-imap_browse.c
===================================================================
RCS file: files/patch-imap_browse.c
diff -N files/patch-imap_browse.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-imap_browse.c	1 Jul 2006 20:06:41 -0000
@@ -0,0 +1,27 @@
+--- imap/browse.c.orig	Wed Nov  5 09:41:36 2003
++++ imap/browse.c	Sat Jul  1 20:47:53 2006
+@@ -452,7 +452,7 @@
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -463,12 +463,14 @@
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
--- mutt-devel.diff ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->shaun 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sat Jul 1 21:04:07 UTC 2006 
Responsible-Changed-Why:  
Submitter has GNATS access 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99698 
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Sat Jul 1 21:04:13 UTC 2006 
State-Changed-Why:  
Awaiting maintainers feedback 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99698 

From: SHIOZAKI Takehiko <st@be.to>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/99698: japanese/mutt-devel: Fix IMAP buffer overflow vulnerability
Date: Mon, 3 Jul 2006 11:12:16 +0900

 Dear Edwin Groothuis et al
 
 Thank you for your advice.
 I approve the patch and would appreciate it if you'd commit it.
 
 Regards
 
 
 [On Jul  1, Edwin Groothuis <edwin@FreeBSD.org> wrote:]
 
 >Maintainer of japanese/mutt-devel,
 >
 >Please note that PR ports/99698 has just been submitted.
 >
 >If it contains a patch for an upgrade, an enhancement or a bug fix
 >you agree on, reply to this email stating that you approve the patch
 >and a committer will take care of it.
 >
 >The full text of the PR can be found at:
 >    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/99698
 >
 >-- 
 >Edwin Groothuis
 >edwin@FreeBSD.org
 
 -- 
 SHIOZAKI Takehiko
State-Changed-From-To: feedback->closed 
State-Changed-By: shaun 
State-Changed-When: Mon Jul 3 15:44:16 UTC 2006 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=99698 
>Unformatted:
