From e5a5e9ce2e1fdc291a0269ed68de3711e5fcdc7b Mon Sep 17 00:00:00 2001
From: tonnerre <tonnerre@pkgsrc.org>
Date: Sun, 13 Jul 2008 16:26:17 +0000
Subject: Add patch for IMAP tag arbitrary code execution in the perdition IMAP
 server (CVE-2007-5740).

---
 mail/perdition/Makefile         |   4 +-
 mail/perdition/distinfo         |   3 +-
 mail/perdition/patches/patch-ah | 109 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+), 3 deletions(-)
 create mode 100644 mail/perdition/patches/patch-ah

(limited to 'mail/perdition')

diff --git a/mail/perdition/Makefile b/mail/perdition/Makefile
index c3c7b5d2ef1..521d01b551a 100644
--- a/mail/perdition/Makefile
+++ b/mail/perdition/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2008/06/12 02:14:35 joerg Exp $
+# $NetBSD: Makefile,v 1.11 2008/07/13 16:26:17 tonnerre Exp $
 #
 
-PKGREVISION=		7
+PKGREVISION=		8
 
 PERDITION_COMMENT=	main program
 
diff --git a/mail/perdition/distinfo b/mail/perdition/distinfo
index 842ac532aaf..453dc501201 100644
--- a/mail/perdition/distinfo
+++ b/mail/perdition/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.6 2007/03/02 11:37:33 grant Exp $
+$NetBSD: distinfo,v 1.7 2008/07/13 16:26:17 tonnerre Exp $
 
 SHA1 (perdition-1.17.tar.gz) = 5e04f172db4a7ee2af5b7a28c19c231f955243fc
 RMD160 (perdition-1.17.tar.gz) = cc3c4679390132ece6858eca6483ffddead568e4
@@ -10,3 +10,4 @@ SHA1 (patch-ad) = 7b53169a8571141016fa79e1fbf55439579c4d77
 SHA1 (patch-ae) = a3a41d06a7a63d479f4c8de29b6d7ee2a745dd87
 SHA1 (patch-af) = 0fa5a853c69ff6869e3a752fc592228d6e782079
 SHA1 (patch-ag) = 350cfc64f98611455292d4d052463e6828588338
+SHA1 (patch-ah) = 6a88d3c73cc5e5b88a58b057c58fdbe182f2d0d4
diff --git a/mail/perdition/patches/patch-ah b/mail/perdition/patches/patch-ah
new file mode 100644
index 00000000000..2edd65df8fa
--- /dev/null
+++ b/mail/perdition/patches/patch-ah
@@ -0,0 +1,109 @@
+$NetBSD: patch-ah,v 1.1 2008/07/13 16:26:17 tonnerre Exp $
+
+--- perdition/imap4_in.c.orig	2005-06-22 07:50:05.000000000 +0200
++++ perdition/imap4_in.c
+@@ -277,6 +277,76 @@ int imap4_in_authenticate(
+ 
+ #endif /* WITH_PAM_SUPPORT */
+ 
++/**********************************************************************
++ * imap4_in_verify_tag_str
++ * Verify that a tag is valid
++ * Pre: tag: io_t to write to
++ * Return 0 on success
++ *        -1 otherwise
++ **********************************************************************/
++
++/* Excerpts from rfc3501, Section 9. Formal Syntax
++ *
++ * The ASCII NUL character, %x00, MUST NOT be used at any time.
++ *
++ * tag             = 1*<any ASTRING-CHAR except "+">
++ *
++ * ATOM-CHAR       = <any CHAR except atom-specials>
++ *
++ * atom-specials   = "(" / ")" / "{" / SP / CTL / list-wildcards /
++ *                quoted-specials / resp-specials
++ *
++ * list-wildcards  = "%" / "*"
++ *
++ * quoted-specials = DQUOTE / "\"
++ *
++ * resp-specials   = "]"
++ *
++ * Excerpts from rfc2060, Section 9. Formal Syntax
++ *
++ * CHAR            ::= <any 7-bit US-ASCII character except NUL,
++ *                      0x01 - 0x7f>
++ *
++ * CTL             ::= <any ASCII control character and DEL,
++ *                         0x00 - 0x1f, 0x7f>
++ */
++
++static int imap4_in_verify_tag_str(const token_t *tag)
++{
++	unsigned char *tag_str;
++	size_t tag_str_len, i;
++
++	tag_str_len = token_len(tag);
++
++	if (!tag_str_len)
++		return -1;
++
++	tag_str = token_buf(tag);
++
++	for (i = 0; i < tag_str_len; i++) {
++		/* Must be ASCII, must not be a control character */
++		if (tag_str[i] <= 0x1f || tag_str[i] >= 0x7f)
++			return -1;
++		/* Must not be other reserved characters */
++		switch(tag_str[i]) {
++			case '\0':
++			case '(':
++			case ')':
++			case '{':
++			case ' ':
++			case '%':
++			case '*':
++			case '"':
++			case '\\':
++			case ']':
++				return -1;
++		}
++	}
++
++	return 0;
++}
++
++
+ 
+ /**********************************************************************
+  * imap4_in_get_pw
+@@ -337,19 +407,20 @@ int imap4_in_get_pw(io_t *io, struct pas
+       break;
+     }
+ 
++    if (imap4_in_verify_tag_str(tag)) {
++      token_assign(tag, (unsigned char *)strdup(IMAP4_UNTAGGED),
++		   strlen(IMAP4_UNTAGGED), 0);
++      __IMAP4_IN_BAD("Invalid tag, mate");
++      goto loop;
++    }
++
+     if((q=vanessa_queue_pop(q, (void **)&tag))==NULL){
+       VANESSA_LOGGER_DEBUG("vanessa_queue_pop 1");
+       break;
+     }
+ 
+     if(token_is_eol(tag)){
+-      if(token_is_null(tag)){
+-	token_assign(tag, strdup(IMAP4_BAD), strlen(IMAP4_BAD), 0);
+-	__IMAP4_IN_BAD("Null tag, mate");
+-      }
+-      else {
+-	__IMAP4_IN_BAD("Missing command, mate");
+-      }
++      __IMAP4_IN_BAD("Missing command, mate");
+       goto loop;
+     }
+ 
-- 
cgit v1.2.3