Add fix from the "mutt" CVS repository for a buffer overflow in the

IMAP code which could be exploited by a malicious IMAP server. Bump package revision.
author: tron <tron@pkgsrc.org> 2006-06-20 09:14:46 +0000
committer: tron <tron@pkgsrc.org> 2006-06-20 09:14:46 +0000
commit: 8ed7986838d4cd26908b6368110087620cc54d45 (patch)
tree: 93d8893ee0bdb0f5ca4f6dfcde5944221bbb85db /mail/mutt/patches
parent: 88c777f2230fa8d2b21687598f23d21d53330fbc (diff)
download: pkgsrc-8ed7986838d4cd26908b6368110087620cc54d45.tar.gz
1 files changed, 29 insertions, 0 deletions
diff --git a/mail/mutt/patches/patch-ae b/mail/mutt/patches/patch-ae
new file mode 100644
index 00000000000..744234c761e
--- /dev/null
+++ b/mail/mutt/patches/patch-ae
@@ -0,0 +1,29 @@
+$NetBSD: patch-ae,v 1.4 2006/06/20 09:14:46 tron Exp $
+
+--- imap/browse.c.orig	2002-02-26 10:38:56.000000000 +0000
++++ imap/browse.c	2006-06-20 10:05:32.000000000 +0100
+@@ -452,7 +452,7 @@
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -463,12 +463,14 @@
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
author	tron <tron@pkgsrc.org>	2006-06-20 09:14:46 +0000
committer	tron <tron@pkgsrc.org>	2006-06-20 09:14:46 +0000
commit	8ed7986838d4cd26908b6368110087620cc54d45 (patch)
tree	93d8893ee0bdb0f5ca4f6dfcde5944221bbb85db /mail/mutt/patches
parent	88c777f2230fa8d2b21687598f23d21d53330fbc (diff)
download	pkgsrc-8ed7986838d4cd26908b6368110087620cc54d45.tar.gz