Steffen "Daode" Nurpmeso <[email protected]> writes: > Hello all,
Hi, > i've detected two bugs of mine and want to report they're fixed > and cherry-picked onto the *master* branch. > The plain diffs are also attached below and may be patched into > S-nail 14.2 (small offset, but will succeed). > > . The first bug is a possible buffer overflow in a snprintf(3) > statement that may happen when displaying a mail. > In short -- we yet did not reserve any space for printing two > integers but assumed that the numbers would well fit into the 16 > format characters that disappear during the snprintf(3). > This is not true when the second bug hitted though, since then > UINT64_MAX (may) happen(s), and that is 18446744073709551615. > > . The second one is a partial reverse of (Tweak MIME boundary > detection.., 2012-12-20), or, to be exact, we'll use the > original if() condition again (but adjusted to new codeflow). > A Microsoft Word-created mail on the ICU list revealed > a weakness in the boundary code that caused some boundary to > be missed. (We _want_ the single-pass MIME part parser...) > > Ugly, ugly=E2=80=A6 but i don't think this is worth a maintenance release, > not at last because i don't know of any packaged S-nail. I assumed you were aware of this, but there is an OpenBSD port[1], which has replaced[2] Heirloom mailx. We can of course integrate those patches in the 14.2 port, so you don't need to post a maintenance release if you don't want to. Just tell us if you change your opinion, so that William (the port maintainer) or I don't submit a useless patch. > I would encourage you to update your *master* branch and rebuild, > though. The fixes will be included in the next regular minor > version of S-nail, most likely at the end of this summer. > > Ciao, and sorry for the inconvenience! > > --steffen [1] http://marc.info/?l=openbsd-ports-cvs&m=136452928921103&w=2 [2] http://marc.info/?l=openbsd-ports-cvs&m=136452953721136&w=2 -- Jérémie Courrèges-Anglas PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494 ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ nail-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nail-devel
