Fix parsing of IPv6 address possibly result in privilege escalation.

2 files changed, 37 insertions, 0 deletions

diff --git a/mail/exim3/patches/patch-ao b/mail/exim3/patches/patch-ao
new file mode 100644
index 00000000000..735d6f43d7b
--- /dev/null
+++ b/mail/exim3/patches/patch-ao
@@ -0,0 +1,13 @@
+$NetBSD: patch-ao,v 1.1 2006/03/06 22:49:16 joerg Exp $
+
+--- src/lookups/dnsdb.c.orig	2006-02-14 16:38:38.000000000 +0100
++++ src/lookups/dnsdb.c
+@@ -116,7 +116,7 @@ if (equals != NULL)
+ /* If the type is PTR, we have to construct the relevant magic lookup
+ key. */
+ 
+-if (type == T_PTR)
++if (type == T_PTR && string_is_ip_address(keystring, NULL))
+   {
+   char *p = keystring + (int)strlen(keystring);
+   char *pp = buffer;
diff --git a/mail/exim3/patches/patch-ap b/mail/exim3/patches/patch-ap
new file mode 100644
index 00000000000..49c700a553f
--- /dev/null
+++ b/mail/exim3/patches/patch-ap
@@ -0,0 +1,24 @@
+$NetBSD: patch-ap,v 1.1 2006/03/06 22:49:16 joerg Exp $
+
+--- src/host.c.orig	2006-02-14 16:41:01.000000000 +0100
++++ src/host.c
+@@ -620,12 +620,18 @@ if (strchr(address, ':') != NULL)
+ 
+   if (*p == ':') p++;
+ 
+-  /* Split the address into components separated by colons. */
++  /* Split the address into components separated by colons. The input address
++  is supposed to be checked for syntax. There was a case where this was
++  overlooked; to guard against that happening again, check here and crash if
++  there is a violation. */
+ 
+   while (*p != 0)
+     {
+     int len = strcspn(p, ":");
+     if (len == 0) nulloffset = ci;
++    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
++      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
++      address);
+     component[ci++] = p;
+     p += len;
+     if (*p == ':') p++;