diff options
| -rw-r--r-- | Makefile.in | 2 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | driver.c | 14 | ||||
| -rwxr-xr-x | indexgen.sh | 3 |
4 files changed, 18 insertions, 3 deletions
diff --git a/Makefile.in b/Makefile.in index 44f44d10..36cc4cd4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,7 +4,7 @@ # So just uncomment all the lines marked QNX. PACKAGE = fetchmail -VERSION = 5.9.9 +VERSION = 5.9.10 # Ultrix 2.2 make doesn't expand the value of VPATH. srcdir = @srcdir@ @@ -2,6 +2,8 @@ (The `lines' figures total .c, .h, .l, and .y files under version control.) +* Security fix: don't trust the message count passed back by the server. + fetchmail-5.9.9 (Sat Mar 9 08:54:28 EST 2002), 21508 lines: * Renamed misnamed tr.po and da.po files @@ -15,6 +15,7 @@ #endif /* HAVE_MEMORY_H */ #if defined(STDC_HEADERS) #include <stdlib.h> +#include <limits.h> #endif #if defined(HAVE_UNISTD_H) #include <unistd.h> @@ -1301,6 +1302,19 @@ is restored.")); */ force_retrieval = !peek_capable && (ctl->errcount > 0); + /* + * Don't trust the message count passed by the server. + * Without this check, it might be possible to do a + * DNS-spoofing attack that would pass back a ridiculous + * count, and allocate a malloc area that would overlap + * a portion of the stack. + */ + if (count > INT_MAX/sizeof(int)) + { + report(stderr, "bogus message count!"); + return(PS_PROTOCOL); + } + /* OK, we're going to gather size info next */ xalloca(msgsizes, int *, sizeof(int) * count); xalloca(msgcodes, int *, sizeof(int) * count); diff --git a/indexgen.sh b/indexgen.sh index 8880dbf9..8dc25195 100755 --- a/indexgen.sh +++ b/indexgen.sh @@ -364,8 +364,7 @@ ftp://ftp.win.ne.jp/pub/network/mail/fetchmail</a>. <P>Fetchmail was DaveCentral's Best Of Linux winner for <a href="http://linux.davecentral.com/bol_19990630.html">June 30 1999</a>. -<P>Fetchmail was a five-star Editor's Pick at -<a href="http://www.softlandindia.com/Linux/EmailClients.htm">Softlandindia</a> +<P>Fetchmail was a five-star Editor's Pick at Softlandindia. <HR> <table width="100%" cellpadding=0><tr> |