- fixes for possible security issues (buffer and integer overflows)

Changed files:
    cyrus-imapd-imap-intoverflow.patch -> 1.1
    cyrus-imapd-sieve-overflows.patch -> 1.1
    cyrus-imapd-snprintf.patch -> 1.1

diff --git a/cyrus-imapd-imap-intoverflow.patch b/cyrus-imapd-imap-intoverflow.patch
new file mode 100644 (file)
index 0000000..647db05
--- /dev/null
+++ b/cyrus-imapd-imap-intoverflow.patch
@@ -0,0 +1,28 @@
+--- cyrus-imapd-2.0.16/imap/imapparse.c.orig   Mon Jul 16 21:31:14 2001
++++ cyrus-imapd-2.0.16/imap/imapparse.c        Thu Dec  5 11:53:09 2002
+@@ -52,7 +52,7 @@
+              struct buf *buf, int type)
+ {
+     int c;
+-    int i, len = 0;
++    unsigned int i, len = 0;
+     int sawdigit = 0;
+     int isnowait;
+ 
+@@ -168,6 +168,16 @@
+           if (c != EOF) prot_ungetc(c, pin);
+           return EOF;
+       }
++      if (len > 65536) {
++          if (isnowait) {
++              for (i = 0; i < len; i++)
++                  c = prot_getc(pin);
++          }
++          prot_printf(pout, "* BAD Literal too large\r\n");
++          prot_flush(pout);
++          if (c != EOF) prot_ungetc(c, pin);
++          return EOF;
++      }
+       if (len >= buf->alloc) {
+           buf->alloc = len+1;
+           buf->s = xrealloc(buf->s, buf->alloc+1);

diff --git a/cyrus-imapd-sieve-overflows.patch b/cyrus-imapd-sieve-overflows.patch
new file mode 100644 (file)
index 0000000..b1bd275
--- /dev/null
+++ b/cyrus-imapd-sieve-overflows.patch
@@ -0,0 +1,42 @@
+--- cyrus-imapd-2.0.16/sieve/addr.y.orig       Sat Jul 15 06:32:32 2000
++++ cyrus-imapd-2.0.16/sieve/addr.y    Thu Dec  5 11:35:29 2002
+@@ -87,8 +87,9 @@
+ /* copy address error message into buffer provided by sieve parser */
+ int yyerror(char *s)
+ {
+-extern char addrerr[];
++extern char addrerr[500];
+ 
+-    strcpy(addrerr, s);
++    strncpy(addrerr, s, sizeof(addrerr)-1);
++    addrerr[sizeof(addrerr)-1] = '\0';
+     return 0;
+ }
+--- cyrus-imapd-2.0.16/sieve/sieve.y.orig      Mon Dec 18 05:53:43 2000
++++ cyrus-imapd-2.0.16/sieve/sieve.y   Thu Dec  5 11:36:52 2002
+@@ -599,7 +599,7 @@
+ 
+     addrptr = s;
+     if (addrparse()) {
+-      sprintf(errbuf, "address '%s': %s", s, addrerr);
++      snprintf(errbuf, sizeof(errbuf), "address '%s': %s", s, addrerr);
+       yyerror(errbuf);
+       return 0;
+     }
+@@ -633,14 +633,14 @@
+       if (strcmp(f, "\\seen") && strcmp(f, "\\answered") &&
+           strcmp(f, "\\flagged") && strcmp(f, "\\draft") &&
+           strcmp(f, "\\deleted")) {
+-          sprintf(errbuf, "flag '%s': not a system flag", f);
++          snprintf(errbuf, sizeof(errbuf), "flag '%s': not a system flag", f);
+           yyerror(errbuf);
+           return 0;
+       }
+       return 1;
+     }
+     if (!imparse_isatom(f)) {
+-      sprintf(errbuf, "flag '%s': not a valid keyword", f);
++      snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid keyword", f);
+       yyerror(errbuf);
+       return 0;
+     }

diff --git a/cyrus-imapd-snprintf.patch b/cyrus-imapd-snprintf.patch
new file mode 100644 (file)
index 0000000..e8fe638
--- /dev/null
+++ b/cyrus-imapd-snprintf.patch
@@ -0,0 +1,11 @@
+--- cyrus-imapd-2.0.16/imap/fud.c.orig Tue Dec  3 10:38:01 2002
++++ cyrus-imapd-2.0.16/imap/fud.c      Thu Dec  5 12:04:22 2002
+@@ -313,7 +313,7 @@
+             sendto(soc,"PERMDENY",9,0,(struct sockaddr *) &sfrom, sizeof(sfrom));       
+             break;
+         case REQ_OK:
+-            siz = sprintf(buf,"%s|%s|%d|%d|%d",user,mbox,numrecent,(int) lastread,(int) lastarrived);
++            siz = sprintf(buf,sizeof(buf),"%s|%s|%d|%d|%d",user,mbox,numrecent,(int) lastread,(int) lastarrived);
+             sendto(soc,buf,siz,0,(struct sockaddr *) &sfrom, sizeof(sfrom));       
+             break;
+         case REQ_UNK: