Bug 44321 - imap2000c security problems
imap2000c security problems
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: imap (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Mike A. Harris
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-12 14:04 EDT by Need Real Name
Modified: 2007-04-18 12:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-06-12 14:04:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:094 high SHIPPED_LIVE : Updated UW imap packages available (imap/pop3/imaps/pop3s) 2001-07-06 00:00:00 EDT

  None (edit)
Description Need Real Name 2001-06-12 14:04:39 EDT
Mandrake has some of the security fixes for
imap2000c
ftp://chronos.iut-bm.univ-fcomte.fr/pub/linux/distributions/Mandrake/updates/7.2/SRPMS/
A part of their patch

--- imap-2000c/src/osdep/unix/tcp_unix.c~	Wed Nov  8 15:28:02 2000
+++ imap-2000c/src/osdep/unix/tcp_unix.c	Fri Mar  2 15:46:56 2001
@@ -282,7 +282,7 @@
     FD_SET (sock,&efds);
     do {			/* block under timeout */
       tmo.tv_sec = ti ? ti - now : 0;
-      i = select (sock+1,0,&fds,&efds,ti ? &tmo : 0);
+      i = select (sock+1,&fds,0,&efds,ti ? &tmo : 0);
       now = time (0);
     } while (((i < 0) && (errno == EINTR)) || (ti && !i && (ti > now)));
     if (i > 0) {		/* success, make sure really connected */
--- imap-2000c/src/c-client/smanager.c~	Tue Oct 24 21:11:43 2000
+++ imap-2000c/src/c-client/smanager.c	Fri Mar  2 14:50:14 2001
@@ -39,7 +39,7 @@
     while (fgets (tmp,MAILTMPLEN,f)) {
       if (s = strchr (tmp,'\n')) *s = '\0';
       if (!strcmp (tmp,mailbox)) {/* already subscribed? */
-	sprintf (tmp,"Already subscribed to mailbox %s",mailbox);
+	sprintf (tmp,"Already subscribed to mailbox %.80s",mailbox);
 	mm_log (tmp,ERROR);
 	fclose (f);
 	return NIL;
@@ -87,7 +87,7 @@
     return NIL;
   }
   if (!ret) {
-    sprintf (tmp,"Not subscribed to mailbox %s",mailbox);
+    sprintf (tmp,"Not subscribed to mailbox %.80s",mailbox);
     mm_log (tmp,ERROR);		/* error if at end */
   }
   else rename (newname,old);
--- imap-2000c/./src/c-client/smtp.c~	Tue Oct 24 21:13:00 2000
+++ imap-2000c/./src/c-client/smtp.c	Fri Mar  2 14:54:25 2001
@@ -508,6 +508,8 @@
   long flags = (mb->secflag ? AU_SECURE : NIL) |
     (mb->authuser[0] ? AU_AUTHUSER : NIL);
   char *s,tmp[MAILTMPLEN];
+                               /* clear ESMTP data */
+  memset (&ESMTP,0,sizeof (ESMTP));
   sprintf (tmp,"EHLO %s",host);	/* build the complete command */
   if (stream->debug) mm_dlog (tmp);
   strcat (tmp,"\015\012");
--- imap-2000c/src/c-client/newsrc.c~	Tue Oct 24 21:11:41 2000
+++ imap-2000c/src/c-client/newsrc.c	Fri Mar  2 14:47:36 2001
@@ -57,7 +57,7 @@
 {
   fclose (f1);			/* close file designators */
   fclose (f2);
-  return newsrc_error ("Error writing to %s",name,ERROR);
+  return newsrc_error ("Error writing to %.80s",name,ERROR);
 }
 
 
@@ -71,8 +71,8 @@
 {
   char *newsrc = (char *) mail_parameters (stream,GET_NEWSRC,stream);
   FILE *f = fopen (newsrc,"wb");
-  if (!f) newsrc_error ("Unable to create news state %s",newsrc,ERROR);
-  else if (notify) newsrc_error ("Creating news state %s",newsrc,WARN);
+  if (!f) newsrc_error ("Unable to create news state %.80s",newsrc,ERROR);
+  else if (notify) newsrc_error ("Creating news state %.80s",newsrc,WARN);
   return f;
 }
 
@@ -196,7 +196,7 @@
 				/* found the newsgroup? */
       if (((c == ':') || (c == '!')) && !strcmp (tmp,group)) {
 	if (c == state) {	/* already at that state? */
-	  if (c == ':') newsrc_error ("Already subscribed to %s",group,WARN);
+	  if (c == ':') newsrc_error ("Already subscribed to
%.80s",group,WARN); 	  ret = LONGT;		/* noop the update */
 	}
 				/* write the character */
@@ -223,7 +223,7 @@
       else {			/* can't find a newline convention */
 	fclose (f);		/* punt the file */
 				/* can't win if read something */
-	if (pos) newsrc_error("Unknown newline convention in %s",newsrc,ERROR);
+	if (pos) newsrc_error("Unknown newline convention in
%.80s",newsrc,ERROR);
 				/* file must have been empty, rewrite it */
 	else ret = newsrc_newstate(newsrc_create(stream,NIL),group,state,"\n");
       }
@@ -298,7 +298,7 @@
     }
   } while (f && (c != EOF));	/* until file closed or EOF */
   if (f) {			/* still have file open? */
-    sprintf (tmp,"No state for newsgroup %s found, reading as new",group);
+    sprintf (tmp,"No state for newsgroup %.80s found, reading as
new",group);
     mm_log (tmp,WARN);
     fclose (f);			/* close the file */
   }
@@ -312,7 +312,7 @@
     while (m <= stream->nmsgs);
   }
   if (unseen) {			/* report first unseen message */
-    sprintf (tmp,"[UNSEEN] %lu is first unseen message in
%s",unseen,group);
+    sprintf (tmp,"[UNSEEN] %lu is first unseen message in
%.80s",unseen,group);     mm_notify (stream,tmp,(long) NIL);
   }
   return recent;
@@ -334,7 +334,7 @@
   if (f = fopen (newsrc,"rb")) {/* have existing newsrc file? */
     if (!(bf = fopen ((strcat (strcpy
(backup,newsrc),OLDFILESUFFIX)),"wb"))) {       fclose (f);		/* punt input
file */
-      return newsrc_error ("Can't create backup news state
%s",backup,ERROR);
+      return newsrc_error ("Can't create backup news state
%.80s",backup,ERROR);
     }
 				/* copy to backup file */
     while ((c = getc (f)) != EOF) {
@@ -347,25 +347,25 @@
 				/* write to backup file */
       if ((d = putc (c,bf)) == EOF) {
 	fclose (f);		/* punt input file */
-	return newsrc_error("Error writing backup news state %s",newsrc,ERROR);
+	return newsrc_error("Error writing backup news state
%.80s",newsrc,ERROR);
       }
     }
     fclose (f);			/* close existing file */
     if (fclose (bf) == EOF)	/* and backup file */
-      return newsrc_error ("Error closing backup news state
%s",newsrc,ERROR);
+      return newsrc_error ("Error closing backup news state
%.80s",newsrc,ERROR);
     if (d == EOF) {		/* open for write if empty file */
       if (f = newsrc_create (stream,NIL)) bf = NIL;
       else return NIL;
     }
     else if (!nl[0])		/* make sure newlines valid */
-      return newsrc_error ("Unknown newline convention in
%s",newsrc,ERROR);
+      return newsrc_error ("Unknown newline convention in
%.80s",newsrc,ERROR); 				/* now read backup file */
     else if (!(bf = fopen (backup,"rb")))
-      return newsrc_error ("Error reading backup news state
%s",backup,ERROR);
+      return newsrc_error ("Error reading backup news state
%.80s",backup,ERROR);
 				/* open newsrc for writing */
     else if (!(f = fopen (newsrc,"wb"))) {
       fclose (bf);		/* punt backup */
-  return newsrc_error ("Can't rewrite news state %s",newsrc,ERROR);
+      return newsrc_error ("Can't rewrite news state %.80s",newsrc,ERROR);
     }
   }
   else {			/* create new newsrc file */
@@ -459,7 +459,7 @@
       }
     }
   } while (f && (c != EOF));	/* until file closed or EOF */
-  sprintf (tmp,"No state for newsgroup %s found",group);
+  sprintf (tmp,"No state for newsgroup %.80s found",group);
   mm_log (tmp,WARN);
   if (f) fclose (f);		/* close the file */
   return NIL;			/* not found return */
--- imap-2000c/src/c-client/mail.c~	Mon Jan 22 17:36:47 2001
+++ imap-2000c/src/c-client/mail.c	Fri Mar  2 14:44:40 2001
@@ -629,6 +629,19 @@
 {
   int remote = ((*pat == '{') || (ref && *ref == '{'));
   DRIVER *d;
+
+  if (ref && (strlen (ref) > NETMAXMBX)) {
+    char tmp[MAILTMPLEN];
+    sprintf (tmp,"Invalid LIST reference specification: %.80s",ref);
+    mm_log (tmp,ERROR);
+    return;
+  }
+  if (strlen (pat) > NETMAXMBX) {
+    char tmp[MAILTMPLEN];
+    sprintf (tmp,"Invalid LIST pattern specification: %.80s",pat);
+    mm_log (tmp,ERROR);
+    return;
+  }
   if (*pat == '{') ref = NIL;	/* ignore reference if pattern is remote */
   if (stream) {			/* if have a stream, do it for that stream */
     if ((d = stream->dtb) && d->scan &&
--- imap-2000c/src/imapd/imapd.c~	Fri Mar  2 14:31:01 2001
+++ imap-2000c/src/imapd/imapd.c	Fri Mar  2 15:03:39 2001
@@ -2980,7 +2980,7 @@
    * they get a NUL in a literal.
    */
   unsigned char c;
-  for (i = 0; ((i < txt->size) && (c = text->data[i] ? text->data[i] :
0x80) &&+  for (i = 0; ((i < txt->size) && (c = txt->data[i] ? txt->data[i]
: 0x80) &&
 	       ((PBOUT (c)) != EOF)); i++);
 #else
   for (i = 0; ((i < txt->size) && ((PBOUT (txt->data[i])) != EOF)); i++);
Comment 1 Mike A. Harris 2001-06-20 05:08:14 EDT
Thanks for the patch, and info.  Our imap errata release shall be out
shortly.  There are other problems with imap that I held the release
back for.  Mandrake will likely release a new errata soon also I
am guessing.

Fixed in imap-2000c-7, packages based on this will be released as errata
for RHL 5.2/6.2/7.x

Note You need to log in before you can comment on or make changes to this bug.