Version in base suite: 1.0.15-2.3 Version in overlay suite: (not present) Base version: dovecot_1.0.15-2.3 Target version: dovecot_1.0.15-2.3+lenny1 Base file: /org/ftp.debian.org/ftp/pool/main/d/dovecot/dovecot_1.0.15-2.3.dsc Target file: /org/ftp.debian.org/queue/p-u-new/dovecot_1.0.15-2.3+lenny1.dsc debian/patches/sieve.dpatch | 142 +++++++++++++++++++++++++++++++++++ dovecot-1.0.15/debian/changelog | 8 + dovecot-1.0.15/debian/patches/00list | 1 3 files changed, 151 insertions(+) diff -u dovecot-1.0.15/debian/changelog dovecot-1.0.15/debian/changelog --- dovecot-1.0.15/debian/changelog +++ dovecot-1.0.15/debian/changelog @@ -1,3 +1,11 @@ +dovecot (1:1.0.15-2.3+lenny1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix for buffer overflow in SIEVE filtering allowing for privilege + escalation (closes: #546656). Thanks to Don Armstrong. + + -- Giuseppe Iuculano Wed, 23 Sep 2009 10:10:46 +0200 + dovecot (1:1.0.15-2.3) unstable; urgency=medium * Non-maintainer upload diff -u dovecot-1.0.15/debian/patches/00list dovecot-1.0.15/debian/patches/00list --- dovecot-1.0.15/debian/patches/00list +++ dovecot-1.0.15/debian/patches/00list @@ -15,0 +16 @@ +sieve.dpatch only in patch2: unchanged: --- dovecot-1.0.15.orig/debian/patches/sieve.dpatch +++ dovecot-1.0.15/debian/patches/sieve.dpatch @@ -0,0 +1,142 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## sieve.dpatch by Giuseppe Iuculano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad dovecot-1.0.15~/dovecot-sieve/src/libsieve/bc_eval.c dovecot-1.0.15/dovecot-sieve/src/libsieve/bc_eval.c +--- dovecot-1.0.15~/dovecot-sieve/src/libsieve/bc_eval.c 2009-09-23 10:03:24.000000000 +0200 ++++ dovecot-1.0.15/dovecot-sieve/src/libsieve/bc_eval.c 2009-09-23 11:14:55.000000000 +0200 +@@ -475,7 +475,7 @@ + int comparator=ntohl(bc[i+3].value); + int apart=ntohl(bc[i+4].value); + int count=0; +- char scount[3]; ++ char scount[21]; + int isReg = (match==B_REGEX); + int ctag = 0; + regex_t *reg; +@@ -609,7 +609,7 @@ + + if (match == B_COUNT) + { +- sprintf(scount, "%u", count); ++ snprintf(scount, sizeof(scount), "%u", count); + /* search through all the data */ + currd=datai+2; + for (z=0; zerr) { + char buf[1024]; + if (lastaction == -1) /* we never executed an action */ +- sprintf(buf, "%s", errmsg ? errmsg : sieve_errstr(ret)); ++ snprintf(buf, sizeof(buf), "%s", errmsg ? errmsg : sieve_errstr(ret)); + else +- sprintf(buf, "%s: %s", action_to_string(lastaction), ++ snprintf(buf, sizeof(buf), "%s: %s", action_to_string(lastaction), + errmsg ? errmsg : sieve_errstr(ret)); + + ret |= interp->execute_err(buf, interp->interp_context, +@@ -546,7 +546,7 @@ + ret |= keep_ret; + if (keep_ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Kept\n"); + else { + implicit_keep = 0; /* don't try an implicit keep again */ +@@ -599,7 +599,7 @@ + + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Rejected with: %s\n", a->u.rej.msg); + + break; +@@ -615,7 +615,7 @@ + + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Filed into: %s\n",a->u.fil.mailbox); + break; + case ACTION_KEEP: +@@ -629,7 +629,7 @@ + &errmsg); + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Kept\n"); + break; + case ACTION_REDIRECT: +@@ -643,7 +643,7 @@ + &errmsg); + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Redirected to %s\n", a->u.red.addr); + break; + case ACTION_DISCARD: +@@ -655,7 +655,7 @@ + &errmsg); + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Discarded\n"); + break; + +@@ -689,12 +689,12 @@ + + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Sent vacation reply\n"); + + } else if (ret == SIEVE_DONE) { + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Vacation reply suppressed\n"); + + ret = SIEVE_OK; +diff -urNad dovecot-1.0.15~/dovecot-sieve/src/libsieve/sieve.y dovecot-1.0.15/dovecot-sieve/src/libsieve/sieve.y +--- dovecot-1.0.15~/dovecot-sieve/src/libsieve/sieve.y 2009-09-23 10:03:24.000000000 +0200 ++++ dovecot-1.0.15/dovecot-sieve/src/libsieve/sieve.y 2009-09-23 10:49:51.000000000 +0200 +@@ -922,7 +922,7 @@ + else if (!strcmp(r, "ne")) {return NE;} + else if (!strcmp(r, "eq")) {return EQ;} + else{ +- sprintf(errbuf, "flag '%s': not a valid relational operation", r); ++ snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational operation", r); + yyerror(errbuf); + return -1; + }