head 1.6; access; symbols OPENPKG_E1_MP_HEAD:1.6 OPENPKG_E1_MP:1.6 OPENPKG_E1_MP_2_STABLE:1.5.2.2 OPENPKG_E1_FP:1.5.2.2 OPENPKG_2_STABLE_MP:1.6 OPENPKG_2_STABLE_20061018:1.5.2.1 OPENPKG_2_STABLE_20060622:1.5 OPENPKG_2_STABLE:1.5.0.2 OPENPKG_2_STABLE_BP:1.5 OPENPKG_2_5_SOLID:1.4.0.2 OPENPKG_2_5_SOLID_BP:1.4 OPENPKG_2_4_RELEASE:1.1 OPENPKG_2_4_SOLID:1.1.0.16 OPENPKG_2_4_SOLID_BP:1.1 OPENPKG_2_3_RELEASE:1.1 OPENPKG_2_3_SOLID:1.1.0.14 OPENPKG_2_3_SOLID_BP:1.1 OPENPKG_2_2_RELEASE:1.1 OPENPKG_2_2_SOLID:1.1.0.12 OPENPKG_2_2_SOLID_BP:1.1 OPENPKG_2_1_RELEASE:1.1 OPENPKG_2_1_SOLID:1.1.0.10 OPENPKG_2_1_SOLID_BP:1.1 OPENPKG_1_3_SOLID:1.1.0.8 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.6 OPENPKG_2_0_SOLID_BP:1.1 OPENPKG_1_1_SOLID:1.1.0.4 OPENPKG_1_2_SOLID:1.1.0.2; locks; strict; comment @# @; 1.6 date 2006.07.15.08.39.59; author rse; state dead; branches; next 1.5; commitid f3MbLSZfHVm8XVEr; 1.5 date 2006.02.19.08.14.28; author rse; state Exp; branches 1.5.2.1; next 1.4; commitid E4sJa7gFydUkvamr; 1.4 date 2005.09.30.08.19.53; author rse; state dead; branches 1.4.2.1; next 1.3; 1.3 date 2005.09.23.09.23.37; author rse; state Exp; branches; next 1.2; 1.2 date 2005.09.23.09.14.46; author thl; state Exp; branches; next 1.1; 1.1 date 2003.03.20.15.06.59; author thl; state dead; branches 1.1.2.1 1.1.4.1 1.1.8.1; next ; 1.5.2.1 date 2006.07.15.16.24.21; author rse; state Exp; branches; next 1.5.2.2; commitid x9z5rwcExS5rwYEr; 1.5.2.2 date 2006.10.20.14.37.14; author rse; state dead; branches; next ; commitid TDZLdhhgqxsnOqRr; 1.4.2.1 date 2006.07.15.16.27.43; author rse; state Exp; branches; next ; commitid 11lYBaRiVbSAxYEr; 1.1.2.1 date 2003.03.20.15.06.59; author thl; state Exp; branches; next ; 1.1.4.1 date 2003.03.20.15.22.06; author thl; state Exp; branches; next ; 1.1.8.1 date 2004.03.09.14.40.52; author thl; state Exp; branches; next ; desc @@ 1.6 log @upgrading package: mutt 1.5.11i -> 1.5.12i @ text @Index: smime.c --- smime.c.orig 2005-08-14 14:33:37 +0200 +++ smime.c 2006-02-19 09:11:56 +0100 @@@@ -1989,7 +1989,6 @@@@ if ((p = smime_ask_for_key (_("Sign as: "), NULL, 0))) { - p[mutt_strlen (p)-1] = '\0'; mutt_str_replace (&SmimeDefaultKey, p); msg->security |= SIGN; @ 1.5 log @Fix the 'sign as' function for SMIME with a patch taken over from the FreeBSD ports @ text @@ 1.5.2.1 log @Security Fix (CVE-2006-3242) @ text @a11 34 ----------------------------------------------------------------------------- Security Fix (CVE-2006-3242) http://dev.mutt.org/cgi-bin/viewcvs.cgi/mutt/imap/browse.c?r1=1.34.2.2&r2=1.34.2.3&makepatch=1&diff_format=u Index: imap/browse.c --- imap/browse.c 2002/02/26 10:38:56 1.34.2.2 +++ imap/browse.c 2006/06/19 18:20:00 1.34.2.3 @@@@ -452,7 +452,7 @@@@ if (*s == '\"') { s++; - while (*s && *s != '\"') + while (*s && *s != '\"' && n < sizeof (ns) - 1) { if (*s == '\\') s++; @@@@ -463,12 +463,14 @@@@ s++; } else - while (*s && !ISSPACE (*s)) + while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) { ns[n++] = *s; s++; } ns[n] = '\0'; + if (n == sizeof (ns) - 1) + dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); /* delim? */ s = imap_next_word (s); /* delimiter is meaningless if namespace is "". Why does @ 1.5.2.2 log @administrative CVS branch cleanup (just don't ask ;-) @ text @@ 1.4 log @Upgrade from Mutt 1.4 to Mutt 1.5 @ text @d1 4 a4 11 Index: keymap.h --- keymap.h.orig 2001-09-11 13:20:34 +0200 +++ keymap.h 2005-09-23 11:20:32 +0200 @@@@ -22,6 +22,8 @@@@ /* maximal length of a key binding sequence used for buffer in km_bindkey */ #define MAX_SEQ 8 +#include "mapping.h" + /* type for key storage, the rest of mutt works fine with int type */ typedef short keycode_t; d6 6 @ 1.4.2.1 log @Security Fix (CVE-2006-3242) @ text @d1 12 a12 31 Security Fix (CVE-2006-3242) http://dev.mutt.org/cgi-bin/viewcvs.cgi/mutt/imap/browse.c?r1=1.34.2.2&r2=1.34.2.3&makepatch=1&diff_format=u Index: imap/browse.c --- imap/browse.c 2002/02/26 10:38:56 1.34.2.2 +++ imap/browse.c 2006/06/19 18:20:00 1.34.2.3 @@@@ -452,7 +452,7 @@@@ if (*s == '\"') { s++; - while (*s && *s != '\"') + while (*s && *s != '\"' && n < sizeof (ns) - 1) { if (*s == '\\') s++; @@@@ -463,12 +463,14 @@@@ s++; } else - while (*s && !ISSPACE (*s)) + while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1) { ns[n++] = *s; s++; } ns[n] = '\0'; + if (n == sizeof (ns) - 1) + dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns)); /* delim? */ s = imap_next_word (s); /* delimiter is meaningless if namespace is "". Why does @ 1.3 log @remove totally bogus hunks from Fedora patch: the whole parenthesis fiddling is B.S. and actually a NO-OP for a standard-compliant C compiler @ text @@ 1.2 log @gcc4 fix for mutt @ text @d1 3 a3 3 taken from FedoraCore4 mutt-1.4.2.1-2.src.rpm/mutt-1.4.2.1-gcc4.patch --- mutt-1.4.2.1/keymap.h.foo 2005-03-07 16:12:31.000000000 -0500 +++ mutt-1.4.2.1/keymap.h 2005-03-07 16:12:42.000000000 -0500 a12 65 --- mutt-1.4.2.1/mutt_socket.c.foo 2005-03-07 16:33:30.000000000 -0500 +++ mutt-1.4.2.1/mutt_socket.c 2005-03-07 16:38:36.000000000 -0500 @@@@ -50,7 +50,7 @@@@ if (socket_preconnect ()) return -1; - return conn->open (conn); + return (conn->open) (conn); } int mutt_socket_close (CONNECTION* conn) @@@@ -60,7 +60,7 @@@@ if (conn->fd < 0) dprint (1, (debugfile, "mutt_socket_close: Attempt to close closed connection.\n")); else - rc = conn->close (conn); + rc = (conn->close) (conn); conn->fd = -1; conn->ssf = 0; @@@@ -78,7 +78,7 @@@@ return -1; } - rc = conn->read (conn, buf, len); + rc = (conn->read) (conn, buf, len); /* EOF */ if (rc == 0) { @@@@ -105,7 +105,7 @@@@ } len = mutt_strlen (buf); - if ((rc = conn->write (conn, buf, len)) < 0) + if ((rc = (conn->write) (conn, buf, len)) < 0) { dprint (1, (debugfile, "mutt_socket_write: error writing, closing socket\n")); @@@@ -129,7 +129,7 @@@@ if (conn->bufpos >= conn->available) { if (conn->fd >= 0) - conn->available = conn->read (conn, conn->inbuf, sizeof (conn->inbuf)); + conn->available = (conn->read) (conn, conn->inbuf, sizeof (conn->inbuf)); else { dprint (1, (debugfile, "mutt_socket_readchar: attempt to read from closed connection.\n")); --- mutt-1.4.2.1/mutt_socket.h.foo 2005-03-07 16:37:33.000000000 -0500 +++ mutt-1.4.2.1/mutt_socket.h 2005-03-07 16:38:05.000000000 -0500 @@@@ -44,10 +44,10 @@@@ struct _connection *next; void *sockdata; - int (*read) (struct _connection* conn, char* buf, size_t len); - int (*write) (struct _connection *conn, const char *buf, size_t count); - int (*open) (struct _connection *conn); - int (*close) (struct _connection *conn); + int (*(read)) (struct _connection* conn, char* buf, size_t len); + int (*(write)) (struct _connection *conn, const char *buf, size_t count); + int (*(open)) (struct _connection *conn); + int (*(close)) (struct _connection *conn); } CONNECTION; int mutt_socket_open (CONNECTION* conn); @ 1.1 log @file mutt.patch was initially added on branch OPENPKG_1_2_SOLID. @ text @d1 77 @ 1.1.8.1 log @SA-2004.005-mutt; CAN-2004-0078 @ text @a0 50 http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-0078 Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Index: menu.c =================================================================== RCS file: /home/roessler/cvs/mutt/menu.c,v retrieving revision 2.27.2.1 retrieving revision 2.27.2.2 diff -u -d -u -d -r mutt-1-4-1-rel -r mutt-1-4-2-rel --- menu.c 28 Jan 2002 10:18:50 -0000 2.27.2.1 +++ menu.c 11 Feb 2004 10:07:17 -0000 2.27.2.2 @@@@ -148,30 +148,13 @@@@ menu->make_entry (s, l, menu, i); } -void menu_pad_string (char *s, size_t l) +void menu_pad_string (char *s, size_t n) { - size_t n = mutt_strlen (s); int shift = option (OPTARROWCURSOR) ? 3 : 0; - - l--; /* save room for the terminal \0 */ - if (l > COLS - shift) - l = COLS - shift; - - /* Let's just pad the string anyway ... */ - mutt_format_string (s, INT_MAX, l, l, 0, ' ', s, n, 1); - return; + int cols = COLS - shift; -#if !defined (HAVE_BKGDSET) && !defined (USE_SLANG_CURSES) - /* we have to pad the string with blanks to the end of line */ - if (n < l) - { - while (n < l) - s[n++] = ' '; - s[n] = 0; - } - else -#endif - s[l] = 0; + mutt_format_string (s, n, cols, cols, 0, ' ', s, strlen (s), 1); + s[n - 1] = 0; } void menu_redraw_full (MUTTMENU *menu) @ 1.1.4.1 log @OpenPKG-SA-2003.025-mutt @ text @a0 82 http://www.corest.com/common/showdoc.php?idx=310&idxseccion=10 http://marc.theaimsgroup.com/?l=bugtraq&m=104812904712828&w=2 Mutt versions 1.4.1 and 1.5.4 have just been released and will soon be available from ftp://ftp.mutt.org/mutt/. Both versions fix a buffer overflow in mutt's IMAP client code which was identified by Core Security Technologies, and fixed by Edmund Grimley Evans. A more detailed advisory will be published by Core Security. ChangeLog mutt/imap/utf7.c: From: Edmund GRIMLEY EVANS Fix a buffer overflow in utf8_to_utf7 --- mutt-1.4/browser.c Thu Mar 20 15:22:46 2003 +++ mutt-1.4.1/browser.c Thu Mar 20 15:24:13 2003 @@@@ -192,25 +192,27 @@@@ break; case 'f': + { + char *s; #ifdef USE_IMAP if (folder->ff->imap) - strfcpy (fn, NONULL(folder->ff->desc), sizeof (fn)); + s = NONULL (folder->ff->desc); else #endif - strfcpy (fn, folder->ff->name, sizeof(fn)); - if (folder->ff->st != NULL) - { - strcat (fn, S_ISLNK (folder->ff->st->st_mode) ? "@@" : /* __STRCAT_CHECKED__ */ - (S_ISDIR (folder->ff->st->st_mode) ? "/" : - ((folder->ff->st->st_mode & S_IXUSR) != 0 ? "*" : ""))); - } + s = NONULL (folder->ff->name); + + snprintf (fn, sizeof (fn), "%s%s", s, + folder->ff->st ? (S_ISLNK (folder->ff->st->st_mode) ? "@@" : + (S_ISDIR (folder->ff->st->st_mode) ? "/" : + ((folder->ff->st->st_mode & S_IXUSR) != 0 ? "*" : ""))) : ""); + mutt_format_s (dest, destlen, fmt, fn); break; - + } case 'F': if (folder->ff->st != NULL) { - sprintf (permission, "%c%c%c%c%c%c%c%c%c%c", + snprintf (permission, sizeof (permission), "%c%c%c%c%c%c%c%c%c%c", S_ISDIR(folder->ff->st->st_mode) ? 'd' : (S_ISLNK(folder->ff->st->st_mode) ? 'l' : '-'), (folder->ff->st->st_mode & S_IRUSR) != 0 ? 'r': '-', (folder->ff->st->st_mode & S_IWUSR) != 0 ? 'w' : '-', @@@@ -227,8 +229,8 @@@@ else if (folder->ff->imap) { /* mark folders with subfolders AND mail */ - sprintf (permission, "IMAP %c", - (folder->ff->inferiors && folder->ff->selectable) ? '+' : ' '); + snprintf (permission, sizeof (permission), "IMAP %c", + (folder->ff->inferiors && folder->ff->selectable) ? '+' : ' '); mutt_format_s (dest, destlen, fmt, permission); } #endif --- mutt-1.4/imap/utf7.c Tue Feb 13 23:06:16 2001 +++ mutt-1.4.1/imap/utf7.c Wed Mar 19 22:33:30 2003 @@@@ -149,7 +149,11 @@@@ int n, i, b = 0, k = 0; int base64 = 0; - p = buf = safe_malloc (u8len * 2 + 1); + /* + * In the worst case we convert 2 chars to 7 chars. For example: + * "\x10&\x10&..." -> "&ABA-&-&ABA-&-...". + */ + p = buf = safe_malloc ((u8len / 2) * 7 + 6); while (u8len) { @ 1.1.2.1 log @OpenPKG-SA-2003.025-mutt @ text @a0 82 http://www.corest.com/common/showdoc.php?idx=310&idxseccion=10 http://marc.theaimsgroup.com/?l=bugtraq&m=104812904712828&w=2 Mutt versions 1.4.1 and 1.5.4 have just been released and will soon be available from ftp://ftp.mutt.org/mutt/. Both versions fix a buffer overflow in mutt's IMAP client code which was identified by Core Security Technologies, and fixed by Edmund Grimley Evans. A more detailed advisory will be published by Core Security. ChangeLog mutt/imap/utf7.c: From: Edmund GRIMLEY EVANS Fix a buffer overflow in utf8_to_utf7 --- mutt-1.4/browser.c Thu Mar 20 15:22:46 2003 +++ mutt-1.4.1/browser.c Thu Mar 20 15:24:13 2003 @@@@ -192,25 +192,27 @@@@ break; case 'f': + { + char *s; #ifdef USE_IMAP if (folder->ff->imap) - strfcpy (fn, NONULL(folder->ff->desc), sizeof (fn)); + s = NONULL (folder->ff->desc); else #endif - strfcpy (fn, folder->ff->name, sizeof(fn)); - if (folder->ff->st != NULL) - { - strcat (fn, S_ISLNK (folder->ff->st->st_mode) ? "@@" : /* __STRCAT_CHECKED__ */ - (S_ISDIR (folder->ff->st->st_mode) ? "/" : - ((folder->ff->st->st_mode & S_IXUSR) != 0 ? "*" : ""))); - } + s = NONULL (folder->ff->name); + + snprintf (fn, sizeof (fn), "%s%s", s, + folder->ff->st ? (S_ISLNK (folder->ff->st->st_mode) ? "@@" : + (S_ISDIR (folder->ff->st->st_mode) ? "/" : + ((folder->ff->st->st_mode & S_IXUSR) != 0 ? "*" : ""))) : ""); + mutt_format_s (dest, destlen, fmt, fn); break; - + } case 'F': if (folder->ff->st != NULL) { - sprintf (permission, "%c%c%c%c%c%c%c%c%c%c", + snprintf (permission, sizeof (permission), "%c%c%c%c%c%c%c%c%c%c", S_ISDIR(folder->ff->st->st_mode) ? 'd' : (S_ISLNK(folder->ff->st->st_mode) ? 'l' : '-'), (folder->ff->st->st_mode & S_IRUSR) != 0 ? 'r': '-', (folder->ff->st->st_mode & S_IWUSR) != 0 ? 'w' : '-', @@@@ -227,8 +229,8 @@@@ else if (folder->ff->imap) { /* mark folders with subfolders AND mail */ - sprintf (permission, "IMAP %c", - (folder->ff->inferiors && folder->ff->selectable) ? '+' : ' '); + snprintf (permission, sizeof (permission), "IMAP %c", + (folder->ff->inferiors && folder->ff->selectable) ? '+' : ' '); mutt_format_s (dest, destlen, fmt, permission); } #endif --- mutt-1.4/imap/utf7.c Tue Feb 13 23:06:16 2001 +++ mutt-1.4.1/imap/utf7.c Wed Mar 19 22:33:30 2003 @@@@ -149,7 +149,11 @@@@ int n, i, b = 0, k = 0; int base64 = 0; - p = buf = safe_malloc (u8len * 2 + 1); + /* + * In the worst case we convert 2 chars to 7 chars. For example: + * "\x10&\x10&..." -> "&ABA-&-&ABA-&-...". + */ + p = buf = safe_malloc ((u8len / 2) * 7 + 6); while (u8len) { @