Version in base suite: 2.2.13-5 Version in overlay suite: (not present) Base version: kolab-cyrus-imapd_2.2.13-5 Target version: kolab-cyrus-imapd_2.2.13-5+lenny2 Base file: /org/ftp.debian.org/ftp/pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-5.dsc Target file: /org/ftp.debian.org/queue/p-u-new/kolab-cyrus-imapd_2.2.13-5+lenny2.dsc debian/patches/0024-upstream-fix-sieve.dpatch | 142 +++++++++++++++++++++++++ kolab-cyrus-imapd-2.2.13/debian/changelog | 15 ++ kolab-cyrus-imapd-2.2.13/debian/patches/00list | 1 3 files changed, 158 insertions(+) diff -u kolab-cyrus-imapd-2.2.13/debian/changelog kolab-cyrus-imapd-2.2.13/debian/changelog --- kolab-cyrus-imapd-2.2.13/debian/changelog +++ kolab-cyrus-imapd-2.2.13/debian/changelog @@ -1,3 +1,18 @@ +kolab-cyrus-imapd (2.2.13-5+lenny2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * sieve/bc_eval.c: Use snprintf to avoid buffer overruns + + -- Giuseppe Iuculano Wed, 23 Sep 2009 12:12:27 +0200 + +kolab-cyrus-imapd (2.2.13-5+lenny1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix buffer overflow in SIEVE script component + (CVE-2009-3235, CVE-2009-2632) + + -- Giuseppe Iuculano Tue, 22 Sep 2009 23:00:42 +0200 + kolab-cyrus-imapd (2.2.13-5) unstable; urgency=low * Synced against cyrus-imapd package (closes: #475128) diff -u kolab-cyrus-imapd-2.2.13/debian/patches/00list kolab-cyrus-imapd-2.2.13/debian/patches/00list --- kolab-cyrus-imapd-2.2.13/debian/patches/00list +++ kolab-cyrus-imapd-2.2.13/debian/patches/00list @@ -74,0 +75 @@ +0024-upstream-fix-sieve only in patch2: unchanged: --- kolab-cyrus-imapd-2.2.13.orig/debian/patches/0024-upstream-fix-sieve.dpatch +++ kolab-cyrus-imapd-2.2.13/debian/patches/0024-upstream-fix-sieve.dpatch @@ -0,0 +1,142 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 0024-upstream-fix-sieve.dpatch by Giuseppe Iuculano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad kolab-cyrus-imapd-2.2.13~/sieve/bc_eval.c kolab-cyrus-imapd-2.2.13/sieve/bc_eval.c +--- kolab-cyrus-imapd-2.2.13~/sieve/bc_eval.c 2009-09-23 11:27:37.000000000 +0200 ++++ kolab-cyrus-imapd-2.2.13/sieve/bc_eval.c 2009-09-23 11:28:09.000000000 +0200 +@@ -440,7 +440,7 @@ + int comparator=ntohl(bc[i+3].value); + int apart=ntohl(bc[i+4].value); + int count=0; +- char scount[3]; ++ char scount[21]; + int isReg = (match==B_REGEX); + int ctag = 0; + regex_t *reg; +@@ -574,7 +574,7 @@ + + if (match == B_COUNT) + { +- sprintf(scount, "%u", count); ++ snprintf(scount, sizeof(scount), "%u", count); + /* search through all the data */ + currd=datai+2; + for (z=0; zerr) { + char buf[1024]; + if (lastaction == -1) /* we never executed an action */ +- sprintf(buf, "%s", errmsg ? errmsg : sieve_errstr(ret)); ++ snprintf(buf, sizeof(buf), "%s", errmsg ? errmsg : sieve_errstr(ret)); + else +- sprintf(buf, "%s: %s", action_to_string(lastaction), ++ snprintf(buf, sizeof(buf), "%s: %s", action_to_string(lastaction), + errmsg ? errmsg : sieve_errstr(ret)); + + ret |= interp->execute_err(buf, interp->interp_context, +@@ -551,7 +551,7 @@ + ret |= keep_ret; + if (keep_ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Kept\n"); + else { + implicit_keep = 0; /* don't try an implicit keep again */ +@@ -604,7 +604,7 @@ + + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Rejected with: %s\n", a->u.rej.msg); + + break; +@@ -620,7 +620,7 @@ + + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Filed into: %s\n",a->u.fil.mailbox); + break; + case ACTION_KEEP: +@@ -634,7 +634,7 @@ + &errmsg); + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Kept\n"); + break; + case ACTION_REDIRECT: +@@ -648,7 +648,7 @@ + &errmsg); + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Redirected to %s\n", a->u.red.addr); + break; + case ACTION_DISCARD: +@@ -660,7 +660,7 @@ + &errmsg); + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Discarded\n"); + break; + +@@ -694,12 +694,12 @@ + + if (ret == SIEVE_OK) + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Sent vacation reply\n"); + + } else if (ret == SIEVE_DONE) { + snprintf(actions_string+strlen(actions_string), +- sizeof(actions_string)-strlen(actions_string), ++ ACTIONS_STRING_LEN-strlen(actions_string), + "Vacation reply suppressed\n"); + + ret = SIEVE_OK; +diff -urNad kolab-cyrus-imapd-2.2.13~/sieve/sieve.y kolab-cyrus-imapd-2.2.13/sieve/sieve.y +--- kolab-cyrus-imapd-2.2.13~/sieve/sieve.y 2009-09-23 11:27:37.000000000 +0200 ++++ kolab-cyrus-imapd-2.2.13/sieve/sieve.y 2009-09-23 11:27:44.000000000 +0200 +@@ -923,7 +923,7 @@ + else if (!strcmp(r, "ne")) {return NE;} + else if (!strcmp(r, "eq")) {return EQ;} + else{ +- sprintf(errbuf, "flag '%s': not a valid relational operation", r); ++ snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational operation", r); + yyerror(errbuf); + return -1; + }