[mod: In addition to this, Jon points us to:
http://www.redhat.com/corp/support/errata/rh52-errata-general.html#imap
for the official fix from Red Hat. -- REW]
---------- Forwarded message ----------
From: dumped <dumped@SEKURE.ORG>
Subject: ipop2d buffer overflow fix
Resent-Subject: ipop2d buffer overflow fix
Date: Thu, 3 Jun 1999 17:29:05 -0300
Resent-Date: Fri, 4 Jun 1999 00:52:49 -0500 (CDT)
Resent-From: Ron DuFresne <dufresne@winternet.com>
To: BUGTRAQ@netspace.org
Resent-To: dufresne <dufresne@darkstar.sysinfo.com>
This patch fixes the buffer overflow previously pointed by Thiago.
diff -Nur imap-4.4.orig/src/ipopd/ipop2d.c imap-4.4/src/ipopd/ipop2d.c
--- imap-4.4.orig/src/ipopd/ipop2d.c Thu Jun 3 18:35:15 1999
+++ imap-4.4/src/ipopd/ipop2d.c Thu Jun 3 18:37:02 1999
@@ -10,7 +10,10 @@
* Internet: MRC@CAC.Washington.EDU
*
* Date: 28 October 1990
- * Last Edited: 13 July 1998
+ * Last Edited: 3 June 1999
+ *
+ * dumped (dumped@sekure.org) 3/Jun/99 :
+ * fixed a buffer overflow in c_fold()
*
* Copyright 1998 by the University of Washington
*
@@ -306,7 +309,8 @@
/* don't permit proxy to leave IMAP */
if (stream && stream->mailbox && (s = strchr
(stream->mailbox,'}'))) {
strncpy (tmp,stream->mailbox,i = (++s - stream->mailbox));
- strcpy (tmp+i,t); /* append mailbox to initial spec */
+ strncpy (tmp+i,t,sizeof(tmp) - strlen(stream->mailbox));
+ /* append mailbox to initial spec */
t = tmp;
}
/* open mailbox, note # of messages */
