diff options
author | Eric S. Raymond <esr@thyrsus.com> | 2001-08-04 23:04:42 +0000 |
---|---|---|
committer | Eric S. Raymond <esr@thyrsus.com> | 2001-08-04 23:04:42 +0000 |
commit | 2e51880af8478356deac985863f6f13952987224 (patch) | |
tree | 0d3755c9b5e082ec64f85471feba0c3569c6e684 | |
parent | 9bb8e8533b64422abd0b766398b3fcfea2a6a173 (diff) | |
download | fetchmail-2e51880af8478356deac985863f6f13952987224.tar.gz fetchmail-2e51880af8478356deac985863f6f13952987224.tar.bz2 fetchmail-2e51880af8478356deac985863f6f13952987224.zip |
Security fix.
svn path=/trunk/; revision=3441
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | imap.c | 11 | ||||
-rw-r--r-- | pop3.c | 10 |
4 files changed, 25 insertions, 7 deletions
diff --git a/Makefile.in b/Makefile.in index bd1b9a95..6db23555 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,7 +4,7 @@ # So just uncomment all the lines marked QNX. PACKAGE = fetchmail -VERSION = 5.8.16 +VERSION = 5.8.17 # Ultrix 2.2 make doesn't expand the value of VPATH. srcdir = @srcdir@ @@ -2,6 +2,15 @@ (The `lines' figures total .c, .h, .l, and .y files under version control.) +fetchmail-5.8.17 (Sat Aug 4 19:02:47 EDT 2001), 21093 lines: + +* Fixed a security hole that is exploitable if fetchmail is running as root + and the attacker can either subvert the mailserver or redirect to a fake + one using DNS spoofing. Bugtraq announcement to follow soon. Thanks + to antirez@invece.org. + +There are people on fetchmail-friends and on fetchmail-announce. + fetchmail-5.8.16 (Fri Aug 3 18:55:54 EDT 2001), 21093 lines: * Handle ! in RFC2821 Return-Path addresses properly. @@ -620,14 +620,19 @@ static int imap_getsizes(int sock, int count, int *sizes) gen_send(sock, "FETCH 1:%d RFC822.SIZE", count); for (;;) { - int num, size, ok; + unsigned int num, size; + int ok; if ((ok = gen_recv(sock, buf, sizeof(buf)))) return(ok); else if (strstr(buf, "OK") || strstr(buf, "NO")) break; - else if (sscanf(buf, "* %d FETCH (RFC822.SIZE %d)", &num, &size) == 2) - sizes[num - 1] = size; + else if (sscanf(buf, "* %u FETCH (RFC822.SIZE %u)", &num, &size) == 2) { + if (num > 0 && num <= count) + sizes[num - 1] = size; + /* else, strict: protocol error, flexible: nothing + * I vote for flexible. */ + } } return(PS_SUCCESS); @@ -572,12 +572,16 @@ static int pop3_getsizes(int sock, int count, int *sizes) while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) { - int num, size; + unsigned int num, size; if (DOTLINE(buf)) break; - else if (sscanf(buf, "%d %d", &num, &size) == 2) - sizes[num - 1] = size; + else if (sscanf(buf, "%u %u", &num, &size) == 2) { + if (num > 0 && num <= count) + sizes[num - 1] = size; + /* else, strict: protocol error, flexible: nothing + * I vote for flexible. */ + } } return(ok); |