aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric S. Raymond <esr@thyrsus.com>2001-08-04 23:04:42 +0000
committerEric S. Raymond <esr@thyrsus.com>2001-08-04 23:04:42 +0000
commit2e51880af8478356deac985863f6f13952987224 (patch)
tree0d3755c9b5e082ec64f85471feba0c3569c6e684
parent9bb8e8533b64422abd0b766398b3fcfea2a6a173 (diff)
downloadfetchmail-2e51880af8478356deac985863f6f13952987224.tar.gz
fetchmail-2e51880af8478356deac985863f6f13952987224.tar.bz2
fetchmail-2e51880af8478356deac985863f6f13952987224.zip
Security fix.
svn path=/trunk/; revision=3441
-rw-r--r--Makefile.in2
-rw-r--r--NEWS9
-rw-r--r--imap.c11
-rw-r--r--pop3.c10
4 files changed, 25 insertions, 7 deletions
diff --git a/Makefile.in b/Makefile.in
index bd1b9a95..6db23555 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,7 +4,7 @@
# So just uncomment all the lines marked QNX.
PACKAGE = fetchmail
-VERSION = 5.8.16
+VERSION = 5.8.17
# Ultrix 2.2 make doesn't expand the value of VPATH.
srcdir = @srcdir@
diff --git a/NEWS b/NEWS
index 47daa5ee..71499f8f 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,15 @@
(The `lines' figures total .c, .h, .l, and .y files under version control.)
+fetchmail-5.8.17 (Sat Aug 4 19:02:47 EDT 2001), 21093 lines:
+
+* Fixed a security hole that is exploitable if fetchmail is running as root
+ and the attacker can either subvert the mailserver or redirect to a fake
+ one using DNS spoofing. Bugtraq announcement to follow soon. Thanks
+ to antirez@invece.org.
+
+There are people on fetchmail-friends and on fetchmail-announce.
+
fetchmail-5.8.16 (Fri Aug 3 18:55:54 EDT 2001), 21093 lines:
* Handle ! in RFC2821 Return-Path addresses properly.
diff --git a/imap.c b/imap.c
index 96ca7ee3..0874e551 100644
--- a/imap.c
+++ b/imap.c
@@ -620,14 +620,19 @@ static int imap_getsizes(int sock, int count, int *sizes)
gen_send(sock, "FETCH 1:%d RFC822.SIZE", count);
for (;;)
{
- int num, size, ok;
+ unsigned int num, size;
+ int ok;
if ((ok = gen_recv(sock, buf, sizeof(buf))))
return(ok);
else if (strstr(buf, "OK") || strstr(buf, "NO"))
break;
- else if (sscanf(buf, "* %d FETCH (RFC822.SIZE %d)", &num, &size) == 2)
- sizes[num - 1] = size;
+ else if (sscanf(buf, "* %u FETCH (RFC822.SIZE %u)", &num, &size) == 2) {
+ if (num > 0 && num <= count)
+ sizes[num - 1] = size;
+ /* else, strict: protocol error, flexible: nothing
+ * I vote for flexible. */
+ }
}
return(PS_SUCCESS);
diff --git a/pop3.c b/pop3.c
index f6e5ddef..f0d685c4 100644
--- a/pop3.c
+++ b/pop3.c
@@ -572,12 +572,16 @@ static int pop3_getsizes(int sock, int count, int *sizes)
while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{
- int num, size;
+ unsigned int num, size;
if (DOTLINE(buf))
break;
- else if (sscanf(buf, "%d %d", &num, &size) == 2)
- sizes[num - 1] = size;
+ else if (sscanf(buf, "%u %u", &num, &size) == 2) {
+ if (num > 0 && num <= count)
+ sizes[num - 1] = size;
+ /* else, strict: protocol error, flexible: nothing
+ * I vote for flexible. */
+ }
}
return(ok);