[Frugalware-darcs] frugalware-0.6: mutt-devel-1.5.14-2terminus1-i686

voroskoi voroskoi at frugalware.org
Thu Jun 7 19:46:38 CEST 2007


Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070607173804-dd049-49dabca5acfc4f474e4c4bc48aad9d02ab0ed975.gz;

[mutt-devel-1.5.14-2terminus1-i686
voroskoi <voroskoi at frugalware.org>**20070607173804
 secfix relbump, closes #2139
] {
addfile ./source/network-extra/mutt-devel/3d1d7f6cf693.diff
hunk ./source/network-extra/mutt-devel/3d1d7f6cf693.diff 1
+
+# HG changeset patch
+# User Brendan Cully <brendan at kublai.com>
+# Date 1175552458 25200
+# Node ID 3d1d7f6cf693b610993860b2495fb3f01da97f88
+# Parent 35f6cfe99fc50571364877f7c7b3b2d0b3ef1602
+Validate msgid in APOP authentication. Closes #2846
+
+--- a/pop_auth.c	Sat Nov 11 03:40:03 2006 +0000
++++ b/pop_auth.c	Mon Apr 02 15:20:58 2007 -0700
+@@ -184,6 +184,13 @@ static pop_auth_res_t pop_auth_apop (POP
+   if (!pop_data->timestamp)
+     return POP_A_UNAVAIL;
+ =

++  if (rfc822_valid_msgid (pop_data->timestamp) < 0)
++  {
++    mutt_error _("POP timestamp is invalid!");
++    mutt_sleep (2);
++    return POP_A_UNAVAIL;
++  }
++
+   mutt_message _("Authenticating (APOP)...");
+ =

+   /* Compute the authentication hash to send to the server */
+--- a/rfc822.c	Sat Nov 11 03:40:03 2006 +0000
++++ b/rfc822.c	Mon Apr 02 15:20:58 2007 -0700
+@@ -764,6 +764,52 @@ ADDRESS *rfc822_append (ADDRESS **a, ADD
+   return tmp;
+ }
+ =

++/* incomplete. Only used to thwart the APOP MD5 attack (#2846). */
++int rfc822_valid_msgid (const char *msgid)
++{
++  /* msg-id         =3D "<" addr-spec ">"
++   * addr-spec      =3D local-part "@" domain
++   * local-part     =3D word *("." word)
++   * word           =3D atom / quoted-string
++   * atom           =3D 1*<any CHAR except specials, SPACE and CTLs>
++   * CHAR           =3D ( 0.-127. )
++   * specials       =3D "(" / ")" / "<" / ">" / "@"
++                    / "," / ";" / ":" / "\" / <">
++		    / "." / "[" / "]"
++   * SPACE          =3D ( 32. )
++   * CTLS           =3D ( 0.-31., 127.)
++   * quoted-string  =3D <"> *(qtext/quoted-pair) <">
++   * qtext          =3D <any CHAR except <">, "\" and CR>
++   * CR             =3D ( 13. )
++   * quoted-pair    =3D "\" CHAR
++   * domain         =3D sub-domain *("." sub-domain)
++   * sub-domain     =3D domain-ref / domain-literal
++   * domain-ref     =3D atom
++   * domain-literal =3D "[" *(dtext / quoted-pair) "]"
++   */
++
++  char* dom;
++  unsigned int l, i;
++
++  if (!msgid || !*msgid)
++    return -1;
++
++  l =3D mutt_strlen (msgid);
++  if (l < 5) /* <atom at atom> */
++    return -1;
++  if (msgid[0] !=3D '<' || msgid[l-1] !=3D '>')
++    return -1;
++  if (!(dom =3D strrchr (msgid, '@')))
++    return -1;
++
++  /* TODO: complete parser */
++  for (i =3D 0; i < l; i++)
++    if (msgid[i] > 127)
++      return -1;
++
++  return 0;
++}
++
+ #ifdef TESTING
+ int safe_free (void **p)
+ {
+--- a/rfc822.h	Sat Nov 11 03:40:03 2006 +0000
++++ b/rfc822.h	Mon Apr 02 15:20:58 2007 -0700
+@@ -55,6 +55,7 @@ void rfc822_write_list (char *, size_t, =

+ void rfc822_write_list (char *, size_t, ADDRESS *);
+ void rfc822_free_address (ADDRESS **addr);
+ void rfc822_cat (char *, size_t, const char *, const char *);
++int rfc822_valid_msgid (const char *msgid);
+ =

+ extern int RFC822Error;
+ extern const char *RFC822Errors[];
+
addfile ./source/network-extra/mutt-devel/CVE-2007-2683.diff
hunk ./source/network-extra/mutt-devel/CVE-2007-2683.diff 1
+
+# HG changeset patch
+# User Jonathan Smith <https://issues.rpath.com/>
+# Date 1179873167 14400
+# Node ID 736653ce1896d754da5771458af0c6f68c4cf17c
+# Parent 3d1d7f6cf693b610993860b2495fb3f01da97f88
+merge changeset 47d08903b79b: Use signed arithmetic in mutt_gecos_name to =
avoid an overflow. Closes #2885.
+
+--- a/muttlib.c	Mon Apr 02 15:20:58 2007 -0700
++++ b/muttlib.c	Tue May 22 18:32:47 2007 -0400
+@@ -514,7 +514,7 @@ char *mutt_gecos_name (char *dest, size_
+     if (dest[idx] =3D=3D '&')
+     {
+       memmove (&dest[idx + pwnl], &dest[idx + 1],
+-	       MAX(destlen - idx - pwnl - 1, 0));
++	       MAX((ssize_t)(destlen - idx - pwnl - 1), 0));
+       memcpy (&dest[idx], pw->pw_name, MIN(destlen - idx - 1, pwnl));
+       dest[idx] =3D toupper (dest[idx]);
+     }
+
hunk ./source/network-extra/mutt-devel/FrugalBuild 8
-pkgrel=3D1
+pkgrel=3D2terminus1
hunk ./source/network-extra/mutt-devel/FrugalBuild 19
-source=3D(ftp://ftp.mutt.org/$origname/devel/$origname-${pkgver}.tar.gz)
-signatures=3D($source.asc)
+source=3D(ftp://ftp.mutt.org/$origname/devel/$origname-${pkgver}.tar.gz \
+	CVE-2007-2683.diff 3d1d7f6cf693.diff)
+signatures=3D($source.asc '' '')
}


More information about the Frugalware-darcs mailing list