From 2e51880af8478356deac985863f6f13952987224 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Sat, 4 Aug 2001 23:04:42 +0000
Subject: Security fix.

svn path=/trunk/; revision=3441
---
 Makefile.in |  2 +-
 NEWS        |  9 +++++++++
 imap.c      | 11 ++++++++---
 pop3.c      | 10 +++++++---
 4 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index bd1b9a95..6db23555 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,7 +4,7 @@
 # So just uncomment all the lines marked QNX.
 
 PACKAGE = fetchmail
-VERSION = 5.8.16
+VERSION = 5.8.17
 
 # Ultrix 2.2 make doesn't expand the value of VPATH.
 srcdir = @srcdir@
diff --git a/NEWS b/NEWS
index 47daa5ee..71499f8f 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,15 @@
 
 (The `lines' figures total .c, .h, .l, and .y files under version control.)
 
+fetchmail-5.8.17 (Sat Aug  4 19:02:47 EDT 2001), 21093 lines:
+
+* Fixed a security hole that is exploitable if fetchmail is running as root
+  and the attacker can either subvert the mailserver or redirect to a fake
+  one using DNS spoofing.  Bugtraq announcement to follow soon.  Thanks
+  to antirez@invece.org.
+
+There are  people on fetchmail-friends and  on fetchmail-announce.
+
 fetchmail-5.8.16 (Fri Aug  3 18:55:54 EDT 2001), 21093 lines:
 
 * Handle ! in RFC2821 Return-Path addresses properly.
diff --git a/imap.c b/imap.c
index 96ca7ee3..0874e551 100644
--- a/imap.c
+++ b/imap.c
@@ -620,14 +620,19 @@ static int imap_getsizes(int sock, int count, int *sizes)
 	gen_send(sock, "FETCH 1:%d RFC822.SIZE", count);
     for (;;)
     {
-	int num, size, ok;
+	unsigned int num, size;
+	int ok;
 
 	if ((ok = gen_recv(sock, buf, sizeof(buf))))
 	    return(ok);
 	else if (strstr(buf, "OK") || strstr(buf, "NO"))
 	    break;
-	else if (sscanf(buf, "* %d FETCH (RFC822.SIZE %d)", &num, &size) == 2)
-	    sizes[num - 1] = size;
+	else if (sscanf(buf, "* %u FETCH (RFC822.SIZE %u)", &num, &size) == 2) {
+	    if (num > 0 && num <= count)
+	        sizes[num - 1] = size;
+	    /* else, strict: protocol error, flexible: nothing
+	     * I vote for flexible. */
+	}
     }
 
     return(PS_SUCCESS);
diff --git a/pop3.c b/pop3.c
index f6e5ddef..f0d685c4 100644
--- a/pop3.c
+++ b/pop3.c
@@ -572,12 +572,16 @@ static int pop3_getsizes(int sock, int count, int *sizes)
 
 	while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
 	{
-	    int num, size;
+	    unsigned int num, size;
 
 	    if (DOTLINE(buf))
 		break;
-	    else if (sscanf(buf, "%d %d", &num, &size) == 2)
-		sizes[num - 1] = size;
+	    else if (sscanf(buf, "%u %u", &num, &size) == 2) {
+		if (num > 0 && num <= count)
+		    sizes[num - 1] = size;
+		/* else, strict: protocol error, flexible: nothing
+		 * I vote for flexible. */
+	    }
 	}
 
 	return(ok);
-- 
cgit v1.2.3