rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.2.36-cve2019_11500_part1of4.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   7f3edca6d99b315a64b0d4519fc5f02dab58ec94
  2.   SOURCES
  3.   dovecot-2.2.36-cve2019_11500_part1of4.patch
Blob History Raw
af53bc 
From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001
af53bc 
From: Timo Sirainen <timo.sirainen@open-xchange.com>
af53bc 
Date: Fri, 10 May 2019 19:24:51 +0300
af53bc 
Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs
af53bc
af53bc 
IMAP doesn't allow NULs except in binary literals. We'll still allow them
af53bc 
in regular literals as well, but just not in strings.
af53bc
af53bc 
This fixes a bug with unescaping a string with NULs: str_unescape() could
af53bc 
have been called for memory that points outside the allocated string,
af53bc 
causing heap corruption. This could cause crashes or theoretically even
af53bc 
result in remote code execution exploit.
af53bc
af53bc 
Found by Nick Roessler and Rafi Rubin
af53bc 
---
af53bc 
 src/lib-imap/imap-parser.c | 6 ++++++
af53bc 
 1 file changed, 6 insertions(+)
af53bc
af53bc 
diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
af53bc 
index dddf55189..f41668d7a 100644
af53bc 
--- a/src/lib-imap/imap-parser.c
af53bc 
+++ b/src/lib-imap/imap-parser.c
af53bc 
@@ -363,6 +363,11 @@ static bool imap_parser_read_string(struct imap_parser *parser,
af53bc 
 			break;
af53bc 
 		}
af53bc
af53bc 
+		if (data[i] == '\0') {
af53bc 
+			parser->error = "NULs not allowed in strings";
af53bc 
+			return FALSE;
af53bc 
+		}
af53bc 
+
af53bc 
 		if (data[i] == '\\') {
af53bc 
 			if (i+1 == data_size) {
af53bc 
 				/* known data ends with '\' - leave it to
af53bc 
--
af53bc 
2.11.0
af53bc

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation