Package: exim-tls Version: 3.35-3woody1 Severity: normal Justification: security hole Tags: security patch
Patch from the Exim3 package that applies cleanly to Exim-tls below. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux soapstone 2.6.8.1.murb3 #1 Wed Nov 24 16:24:57 CET 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages exim-tls depends on: ii cron 3.0pl1-72 management of regular background p ii debianutils 1.16.2woody1 Miscellaneous utilities specific t ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an ii libdb3 3.2.9-16 Berkeley v3 Database Libraries [ru ii libdb3-util 3.2.9-16 Berkeley v3 Database Utilities ii libident 0.22-2 simple RFC1413 client library - ru ii libldap2 2.0.23-6.3 OpenLDAP libraries. ii libpam0g 0.72-35 Pluggable Authentication Modules l ii libpcre3 3.4-1.1 Philip Hazel's Perl Compatible Reg ii libssl0.9.6 0.9.6c-2.woody.7 SSL shared libraries ii netbase 4.07 Basic TCP/IP networking system ii openssl 0.9.6c-2.woody.7 Secure Socket Layer (SSL) binary a diff -urN --exclude=debian --exclude=README.orig --exclude=EDITME exim-tls/exim-tls-3.35/src/accept.c exim/exim-3.35/src/accept.c --- exim-tls/exim-tls-3.35/src/accept.c Tue Feb 19 10:10:41 2002 +++ exim/exim-3.35/src/accept.c Wed Jan 12 12:44:51 2005 @@ -1895,7 +1895,8 @@ char *verb = "is"; int len; - while (*t != ':') *tt++ = *t++; + while (*t != ':' && (tt < (hname + sizeof(hname)-2))) + *tt++ = *t++; *tt = 0; /* Arrange not to include any white space at the end in the diff -urN --exclude=debian --exclude=README.orig --exclude=EDITME exim-tls/exim-tls-3.35/src/host.c exim/exim-3.35/src/host.c --- exim-tls/exim-tls-3.35/src/host.c Tue Feb 19 10:10:43 2002 +++ exim/exim-3.35/src/host.c Wed Jan 12 12:44:51 2005 @@ -626,6 +626,9 @@ { int len = strcspn(p, ":"); if (len == 0) nulloffset = ci; + if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", + address); component[ci++] = p; p += len; if (*p == ':') p++; diff -urN --exclude=debian --exclude=README.orig --exclude=EDITME exim-tls/exim-tls-3.35/src/lookups/dnsdb.c exim/exim-3.35/src/lookups/dnsdb.c --- exim-tls/exim-tls-3.35/src/lookups/dnsdb.c Tue Feb 19 10:10:44 2002 +++ exim/exim-3.35/src/lookups/dnsdb.c Wed Jan 12 12:44:51 2005 @@ -116,7 +116,7 @@ /* If the type is PTR, we have to construct the relevant magic lookup key. */ -if (type == T_PTR) +if (type == T_PTR && string_is_ip_address(keystring, NULL)) { char *p = keystring + (int)strlen(keystring); char *pp = buffer; diff -urN --exclude=debian --exclude=README.orig --exclude=EDITME exim-tls/exim-tls-3.35/src/verify.c exim/exim-3.35/src/verify.c --- exim-tls/exim-tls-3.35/src/verify.c Tue Feb 19 10:10:46 2002 +++ exim/exim-3.35/src/verify.c Wed Jan 12 12:44:51 2005 @@ -892,7 +892,7 @@ /* Set up the key for the reject hints database, and attempt to open it. If successful, read the record. */ -sprintf(buffer, "%s:%.200s", sender_address, +snprintf(buffer, sizeof(buffer), "%s:%.200s", sender_address, (sender_host_name != NULL)? sender_host_name : (sender_host_address != NULL)? sender_host_address : ""); @@ -1182,7 +1182,7 @@ O_WRONLY) is needed by Berkeley native DB even when reading only. If the database won't open, we can do no more. */ -sprintf(buffer, "%s:%.200s", sender_address, +snprintf(buffer, sizeof(buffer), "%s:%.200s", sender_address, (sender_host_name != NULL)? sender_host_name : (sender_host_address != NULL)? sender_host_address : ""); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]