Mandrake has some of the security fixes for imap2000c ftp://chronos.iut-bm.univ-fcomte.fr/pub/linux/distributions/Mandrake/updates/7.2/SRPMS/ A part of their patch --- imap-2000c/src/osdep/unix/tcp_unix.c~ Wed Nov 8 15:28:02 2000 +++ imap-2000c/src/osdep/unix/tcp_unix.c Fri Mar 2 15:46:56 2001 @@ -282,7 +282,7 @@ FD_SET (sock,&efds); do { /* block under timeout */ tmo.tv_sec = ti ? ti - now : 0; - i = select (sock+1,0,&fds,&efds,ti ? &tmo : 0); + i = select (sock+1,&fds,0,&efds,ti ? &tmo : 0); now = time (0); } while (((i < 0) && (errno == EINTR)) || (ti && !i && (ti > now))); if (i > 0) { /* success, make sure really connected */ --- imap-2000c/src/c-client/smanager.c~ Tue Oct 24 21:11:43 2000 +++ imap-2000c/src/c-client/smanager.c Fri Mar 2 14:50:14 2001 @@ -39,7 +39,7 @@ while (fgets (tmp,MAILTMPLEN,f)) { if (s = strchr (tmp,'\n')) *s = '\0'; if (!strcmp (tmp,mailbox)) {/* already subscribed? */ - sprintf (tmp,"Already subscribed to mailbox %s",mailbox); + sprintf (tmp,"Already subscribed to mailbox %.80s",mailbox); mm_log (tmp,ERROR); fclose (f); return NIL; @@ -87,7 +87,7 @@ return NIL; } if (!ret) { - sprintf (tmp,"Not subscribed to mailbox %s",mailbox); + sprintf (tmp,"Not subscribed to mailbox %.80s",mailbox); mm_log (tmp,ERROR); /* error if at end */ } else rename (newname,old); --- imap-2000c/./src/c-client/smtp.c~ Tue Oct 24 21:13:00 2000 +++ imap-2000c/./src/c-client/smtp.c Fri Mar 2 14:54:25 2001 @@ -508,6 +508,8 @@ long flags = (mb->secflag ? AU_SECURE : NIL) | (mb->authuser[0] ? AU_AUTHUSER : NIL); char *s,tmp[MAILTMPLEN]; + /* clear ESMTP data */ + memset (&ESMTP,0,sizeof (ESMTP)); sprintf (tmp,"EHLO %s",host); /* build the complete command */ if (stream->debug) mm_dlog (tmp); strcat (tmp,"\015\012"); --- imap-2000c/src/c-client/newsrc.c~ Tue Oct 24 21:11:41 2000 +++ imap-2000c/src/c-client/newsrc.c Fri Mar 2 14:47:36 2001 @@ -57,7 +57,7 @@ { fclose (f1); /* close file designators */ fclose (f2); - return newsrc_error ("Error writing to %s",name,ERROR); + return newsrc_error ("Error writing to %.80s",name,ERROR); } @@ -71,8 +71,8 @@ { char *newsrc = (char *) mail_parameters (stream,GET_NEWSRC,stream); FILE *f = fopen (newsrc,"wb"); - if (!f) newsrc_error ("Unable to create news state %s",newsrc,ERROR); - else if (notify) newsrc_error ("Creating news state %s",newsrc,WARN); + if (!f) newsrc_error ("Unable to create news state %.80s",newsrc,ERROR); + else if (notify) newsrc_error ("Creating news state %.80s",newsrc,WARN); return f; } @@ -196,7 +196,7 @@ /* found the newsgroup? */ if (((c == ':') || (c == '!')) && !strcmp (tmp,group)) { if (c == state) { /* already at that state? */ - if (c == ':') newsrc_error ("Already subscribed to %s",group,WARN); + if (c == ':') newsrc_error ("Already subscribed to %.80s",group,WARN); ret = LONGT; /* noop the update */ } /* write the character */ @@ -223,7 +223,7 @@ else { /* can't find a newline convention */ fclose (f); /* punt the file */ /* can't win if read something */ - if (pos) newsrc_error("Unknown newline convention in %s",newsrc,ERROR); + if (pos) newsrc_error("Unknown newline convention in %.80s",newsrc,ERROR); /* file must have been empty, rewrite it */ else ret = newsrc_newstate(newsrc_create(stream,NIL),group,state,"\n"); } @@ -298,7 +298,7 @@ } } while (f && (c != EOF)); /* until file closed or EOF */ if (f) { /* still have file open? */ - sprintf (tmp,"No state for newsgroup %s found, reading as new",group); + sprintf (tmp,"No state for newsgroup %.80s found, reading as new",group); mm_log (tmp,WARN); fclose (f); /* close the file */ } @@ -312,7 +312,7 @@ while (m <= stream->nmsgs); } if (unseen) { /* report first unseen message */ - sprintf (tmp,"[UNSEEN] %lu is first unseen message in %s",unseen,group); + sprintf (tmp,"[UNSEEN] %lu is first unseen message in %.80s",unseen,group); mm_notify (stream,tmp,(long) NIL); } return recent; @@ -334,7 +334,7 @@ if (f = fopen (newsrc,"rb")) {/* have existing newsrc file? */ if (!(bf = fopen ((strcat (strcpy (backup,newsrc),OLDFILESUFFIX)),"wb"))) { fclose (f); /* punt input file */ - return newsrc_error ("Can't create backup news state %s",backup,ERROR); + return newsrc_error ("Can't create backup news state %.80s",backup,ERROR); } /* copy to backup file */ while ((c = getc (f)) != EOF) { @@ -347,25 +347,25 @@ /* write to backup file */ if ((d = putc (c,bf)) == EOF) { fclose (f); /* punt input file */ - return newsrc_error("Error writing backup news state %s",newsrc,ERROR); + return newsrc_error("Error writing backup news state %.80s",newsrc,ERROR); } } fclose (f); /* close existing file */ if (fclose (bf) == EOF) /* and backup file */ - return newsrc_error ("Error closing backup news state %s",newsrc,ERROR); + return newsrc_error ("Error closing backup news state %.80s",newsrc,ERROR); if (d == EOF) { /* open for write if empty file */ if (f = newsrc_create (stream,NIL)) bf = NIL; else return NIL; } else if (!nl[0]) /* make sure newlines valid */ - return newsrc_error ("Unknown newline convention in %s",newsrc,ERROR); + return newsrc_error ("Unknown newline convention in %.80s",newsrc,ERROR); /* now read backup file */ else if (!(bf = fopen (backup,"rb"))) - return newsrc_error ("Error reading backup news state %s",backup,ERROR); + return newsrc_error ("Error reading backup news state %.80s",backup,ERROR); /* open newsrc for writing */ else if (!(f = fopen (newsrc,"wb"))) { fclose (bf); /* punt backup */ - return newsrc_error ("Can't rewrite news state %s",newsrc,ERROR); + return newsrc_error ("Can't rewrite news state %.80s",newsrc,ERROR); } } else { /* create new newsrc file */ @@ -459,7 +459,7 @@ } } } while (f && (c != EOF)); /* until file closed or EOF */ - sprintf (tmp,"No state for newsgroup %s found",group); + sprintf (tmp,"No state for newsgroup %.80s found",group); mm_log (tmp,WARN); if (f) fclose (f); /* close the file */ return NIL; /* not found return */ --- imap-2000c/src/c-client/mail.c~ Mon Jan 22 17:36:47 2001 +++ imap-2000c/src/c-client/mail.c Fri Mar 2 14:44:40 2001 @@ -629,6 +629,19 @@ { int remote = ((*pat == '{') || (ref && *ref == '{')); DRIVER *d; + + if (ref && (strlen (ref) > NETMAXMBX)) { + char tmp[MAILTMPLEN]; + sprintf (tmp,"Invalid LIST reference specification: %.80s",ref); + mm_log (tmp,ERROR); + return; + } + if (strlen (pat) > NETMAXMBX) { + char tmp[MAILTMPLEN]; + sprintf (tmp,"Invalid LIST pattern specification: %.80s",pat); + mm_log (tmp,ERROR); + return; + } if (*pat == '{') ref = NIL; /* ignore reference if pattern is remote */ if (stream) { /* if have a stream, do it for that stream */ if ((d = stream->dtb) && d->scan && --- imap-2000c/src/imapd/imapd.c~ Fri Mar 2 14:31:01 2001 +++ imap-2000c/src/imapd/imapd.c Fri Mar 2 15:03:39 2001 @@ -2980,7 +2980,7 @@ * they get a NUL in a literal. */ unsigned char c; - for (i = 0; ((i < txt->size) && (c = text->data[i] ? text->data[i] : 0x80) &&+ for (i = 0; ((i < txt->size) && (c = txt->data[i] ? txt->data[i] : 0x80) && ((PBOUT (c)) != EOF)); i++); #else for (i = 0; ((i < txt->size) && ((PBOUT (txt->data[i])) != EOF)); i++);
Thanks for the patch, and info. Our imap errata release shall be out shortly. There are other problems with imap that I held the release back for. Mandrake will likely release a new errata soon also I am guessing. Fixed in imap-2000c-7, packages based on this will be released as errata for RHL 5.2/6.2/7.x