File dovecot-1.1.x_sieve_buffer_overflows.patch of Package dovecot11

Overview Repositories Revisions Requests Users Attributes Meta

File dovecot-1.1.x_sieve_buffer_overflows.patch of Package dovecot11

# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1252884667 14400
# Node ID 049f2252062869c1ec70d854e7160e46d70bd41b
# Parent 4577c4e1130d3f5a7d9919181cf8282879d975d1
libsieve: Another sprintf() buffer overflow fix.
(Forgot to change .y file in previous commit.)

--- dovecot-sieve-1.1.5/src/libsieve/sieve.y	Sun Sep 13 19:26:42 2009 -0400
+++ dovecot-sieve-1.1.5/src/libsieve/sieve.y	Sun Sep 13 19:31:07 2009 -0400
@@ -1135,7 +1135,7 @@ static int verify_relat(char *r)
 	else if (!strcmp(r, "ne")) {return NE;}
 	else if (!strcmp(r, "eq")) {return EQ;}
 	else{
-	  sprintf(errbuf, "flag '%s': not a valid relational operation", r);
+	  snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational operation", r);
 	  yyerror(errbuf);
 	  return -1;
 	}

# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1252884402 14400
# Node ID 4577c4e1130d3f5a7d9919181cf8282879d975d1
# Parent c1402bcf9bd36a7006a3004ace7f0ab30aa34f64
libsieve: Fixed several sprintf() buffer overflows.

--- dovecot-sieve-1.1.5/src/libsieve/bc_eval.c	Tue Sep 01 13:24:21 2009 -0400
+++ dovecot-sieve-1.1.5/src/libsieve/bc_eval.c	Sun Sep 13 19:26:42 2009 -0400
@@ -477,7 +477,7 @@ static int eval_bc_test(sieve_interp_t *
 	int comparator=ntohl(bc[i+3].value);
 	int apart=ntohl(bc[i+4].value);
 	int count=0;
-	char scount[3];
+	char scount[20];
 	int isReg = (match==B_REGEX);
 	int ctag = 0;
 	regex_t *reg;
@@ -646,7 +646,7 @@ static int eval_bc_test(sieve_interp_t *
 	int relation=ntohl(bc[i+2].value);
 	int comparator=ntohl(bc[i+3].value);
 	int count=0;	
-	char scount[3];
+	char scount[20];
 	int isReg = (match==B_REGEX);
 	int ctag = 0;
 	regex_t *reg;
@@ -767,7 +767,7 @@ static int eval_bc_test(sieve_interp_t *
 	int transform=ntohl(bc[i+4].value);
 	/*int offset=ntohl(bc[i+5].value);*/
 	int count=0;
-	char scount[3];
+	char scount[20];
 	int isReg = (match==B_REGEX);
 	int ctag = 0;
 	regex_t *reg;
--- dovecot-sieve-1.1.5/src/libsieve/script.c	Tue Sep 01 13:24:21 2009 -0400
+++ dovecot-sieve-1.1.5/src/libsieve/script.c	Sun Sep 13 19:26:42 2009 -0400
@@ -609,9 +609,9 @@ static int do_sieve_error(int ret,
     if ((ret != SIEVE_OK) && interp->err) {
 	char buf[1024];
 	if (lastaction == -1) /* we never executed an action */
-	    sprintf(buf, "%s", errmsg ? errmsg : sieve_errstr(ret));
+	    snprintf(buf, sizeof(buf), "%s", errmsg ? errmsg : sieve_errstr(ret));
 	else
-	    sprintf(buf, "%s: %s", action_to_string(lastaction),
+	    snprintf(buf, sizeof(buf), "%s: %s", action_to_string(lastaction),
 		    errmsg ? errmsg : sieve_errstr(ret));
  
 	ret |= interp->execute_err(buf, interp->interp_context,
@@ -629,7 +629,7 @@ static int do_sieve_error(int ret,
 	ret |= keep_ret;
         if (keep_ret == SIEVE_OK)
             snprintf(actions_string+strlen(actions_string),
-		     sizeof(actions_string)-strlen(actions_string),
+		     ACTIONS_STRING_LEN-strlen(actions_string),
 		     "Kept\n");
 	else {
 	    implicit_keep = 0;	/* don't try an implicit keep again */
@@ -682,7 +682,7 @@ static int do_action_list(sieve_interp_t
 	    
 	    if (ret == SIEVE_OK)
 		snprintf(actions_string+strlen(actions_string),
-			 sizeof(actions_string)-strlen(actions_string), 
+			 ACTIONS_STRING_LEN-strlen(actions_string), 
 			 "Rejected with: %s\n", a->u.rej.msg);
 
 	    break;
@@ -697,7 +697,7 @@ static int do_action_list(sieve_interp_t
 
 	    if (ret == SIEVE_OK)
 		snprintf(actions_string+strlen(actions_string),
-			 sizeof(actions_string)-strlen(actions_string),
+			 ACTIONS_STRING_LEN-strlen(actions_string),
 			 "Filed into: %s\n",a->u.fil.mailbox);
 	    break;
 	case ACTION_KEEP:
@@ -710,7 +710,7 @@ static int do_action_list(sieve_interp_t
 			       &errmsg);
 	    if (ret == SIEVE_OK)
 		snprintf(actions_string+strlen(actions_string),
-			 sizeof(actions_string)-strlen(actions_string),
+			 ACTIONS_STRING_LEN-strlen(actions_string),
 			 "Kept\n");
 	    break;
 	case ACTION_REDIRECT:
@@ -723,7 +723,7 @@ static int do_action_list(sieve_interp_t
 				   &errmsg);
 	    if (ret == SIEVE_OK)
 		snprintf(actions_string+strlen(actions_string),
-			 sizeof(actions_string)-strlen(actions_string),
+			 ACTIONS_STRING_LEN-strlen(actions_string),
 			 "Redirected to %s\n", a->u.red.addr);
 	    break;
 	case ACTION_DISCARD:
@@ -734,7 +734,7 @@ static int do_action_list(sieve_interp_t
 				      &errmsg);
 	    if (ret == SIEVE_OK)
 		snprintf(actions_string+strlen(actions_string),
-			 sizeof(actions_string)-strlen(actions_string),
+			 ACTIONS_STRING_LEN-strlen(actions_string),
 			 "Discarded\n");
 	    break;
 
@@ -760,12 +760,12 @@ static int do_action_list(sieve_interp_t
 
 		    if (ret == SIEVE_OK)
 			snprintf(actions_string+strlen(actions_string),
-				 sizeof(actions_string)-strlen(actions_string),
+				 ACTIONS_STRING_LEN-strlen(actions_string),
 				 "Sent vacation reply\n");
 
 		} else if (ret == SIEVE_DONE) {
 		    snprintf(actions_string+strlen(actions_string),
-			     sizeof(actions_string)-strlen(actions_string),
+			     ACTIONS_STRING_LEN-strlen(actions_string),
 			     "Vacation reply suppressed\n");
 
 		    ret = SIEVE_OK;

Places

File dovecot-1.1.x_sieve_buffer_overflows.patch of Package dovecot11

Places