Security fix for SA17062:

"A vulnerability in UW-imapd can be exploited by malicious users to
 cause a DoS (Denial of Service) or compromise a vulnerable system.

 The vulnerability is caused due to a boundary error in the
 "mail_valid_net_parse_work()" function when copying the user supplied
 mailbox name to a stack buffer. This can be exploited to cause a
 stack-based buffer overflow via a specially crafted mailbox name that
 contains an single opening double-quote character, without the
 corresponding closing double-quote.

 Successful exploitation allows arbitrary code execution, but requires
 valid credentials on the IMAP server."

http://secunia.com/advisories/17062/
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933

Patch from 2004g.

1 files changed, 17 insertions, 0 deletions

diff --git a/mail/imap-uw/patches/patch-an b/mail/imap-uw/patches/patch-an
new file mode 100644
index 00000000000..81348d14a7b
--- /dev/null
+++ b/mail/imap-uw/patches/patch-an
@@ -0,0 +1,17 @@
+$NetBSD: patch-an,v 1.1 2005/10/05 15:49:44 salo Exp $
+
+Security fix for CAN-2005-2933, from 2004g.
+
+--- src/c-client/mail.c.orig	2005-03-17 01:12:17.000000000 +0100
++++ src/c-client/mail.c	2005-10-05 17:37:13.000000000 +0200
+@@ -691,8 +691,10 @@
+       if (c == '=') {		/* parse switches which take arguments */
+ 	if (*t == '"') {	/* quoted string? */
+ 	  for (v = arg,i = 0,++t; (c = *t++) != '"';) {
++            if (!c) return NIL; /* unterminated string */
+ 				/* quote next character */
+ 	    if (c == '\\') c = *t++;
++            if (!c) return NIL; /* can't quote NUL either */
+ 	    arg[i++] = c;
+ 	  }
+ 	  c = *t++;		/* remember delimiter for later */