diff -urN fetchmail-5.9.11/debian/changelog fetchmail-5.9.11-6.1/debian/changelog --- fetchmail-5.9.11/debian/changelog 2002-10-15 05:53:47.000000000 +0900 +++ fetchmail-5.9.11-6.1/debian/changelog 2002-10-15 05:53:07.000000000 +0900 @@ -1,3 +1,10 @@ +fetchmail (5.9.11-6.1) stable-security; urgency=high + + * SECURITY FIX: Stefan Esser's fix for potential remote vulnerability in + multidrop mode (backported from new upstream 6.1.0) + + -- Benjamin Drieu Fri, 27 Sep 2002 16:01:58 +0200 + fetchmail (5.9.11-6) testing-security; urgency=high * SECURITY FIX: avoid buffer overflow on 64bit archs (imap.c) diff -urN fetchmail-5.9.11/mxget.c fetchmail-5.9.11-6.1/mxget.c --- fetchmail-5.9.11/mxget.c 2001-03-04 14:25:21.000000000 +0900 +++ fetchmail-5.9.11-6.1/mxget.c 2002-10-15 05:53:07.000000000 +0900 @@ -68,6 +68,8 @@ n = res_search(name, C_IN,T_MX, (unsigned char *)&answer, sizeof(answer)); if (n == -1) return((struct mxentry *)NULL); + if (n > sizeof(answer)) + n = sizeof(answer); hp = (HEADER *)&answer; cp = answer + HFIXEDSZ; diff -urN fetchmail-5.9.11/transact.c fetchmail-5.9.11-6.1/transact.c --- fetchmail-5.9.11/transact.c 2002-10-15 05:53:47.000000000 +0900 +++ fetchmail-5.9.11-6.1/transact.c 2002-10-15 05:53:07.000000000 +0900 @@ -188,6 +188,8 @@ char *base, *ok = (char *)NULL; static char rbuf[HOSTLEN + USERNAMELEN + 4]; +#define RBUF_WRITE(value) if (tp < rbuf+sizeof(rbuf)-1) *tp++=value + /* * Try to extract the real envelope addressee. We look here * specifically for the mailserver's Received line. @@ -215,7 +217,7 @@ continue; tp = rbuf; for (; !isspace(*sp); sp++) - *tp++ = *sp; + RBUF_WRITE(*sp); *tp = '\0'; /* look for valid address */ @@ -263,7 +265,7 @@ continue; tp = rbuf; for (; !isspace(*sp); sp++) - *tp++ = *sp; + RBUF_WRITE(*sp); *tp = '\0'; if (strchr(rbuf, '@')) @@ -281,8 +283,8 @@ for (sp = ok + 4; isspace(*sp); sp++) continue; tp = rbuf; - *tp++ = ':'; /* Here is the hack. This is to be friends */ - *tp++ = ' '; /* with nxtaddr()... */ + RBUF_WRITE(':'); /* Here is the hack. This is to be friends */ + RBUF_WRITE(' '); /* with nxtaddr()... */ if (*sp == '<') { want_gt = TRUE; @@ -295,14 +297,17 @@ && (want_gt ? (*sp != '>') : !isspace(*sp)) && *sp != ';') if (!isspace(*sp)) - *tp++ = *sp++; + { + RBUF_WRITE(*sp); + sp++; + } else { /* uh oh -- whitespace here can't be right! */ ok = (char *)NULL; break; } - *tp++ = '\n'; + RBUF_WRITE('\n'); *tp = '\0'; if (strlen(rbuf) <= 3) /* apparently nothing has been found */ ok = NULL; @@ -660,7 +665,8 @@ */ if (!strncasecmp("Return-Path:", line, 12) && (cp = nxtaddr(line))) { - strcpy(msgblk.return_path, cp); + strncpy(msgblk.return_path, cp, sizeof(msgblk.return_path)); + msgblk.return_path[sizeof(msgblk.return_path)-1] = '\0'; if (!ctl->mda) { free(line); continue; @@ -912,7 +918,10 @@ else if (app_from_offs >= 0 && (ap = nxtaddr(msgblk.headers + app_from_offs))); /* multi-line MAIL FROM addresses confuse SMTP terribly */ if (ap && !strchr(ap, '\n')) - strcpy(msgblk.return_path, ap); + { + strncpy(msgblk.return_path, ap, sizeof(msgblk.return_path)); + msgblk.return_path[sizeof(msgblk.return_path)-1] = '\0'; + } } /* cons up a list of local recipients */ @@ -1174,22 +1183,39 @@ for (idp = msgblk.recipients; idp; idp = idp->next) if (idp->val.status.mark == XMIT_REJECT) break; - sprintf(errhd+strlen(errhd), GT_("recipient address %s didn't match any local name"), idp->id); +#ifdef HAVE_SNPRINTF + snprintf(errhd+strlen(errhd), sizeof(errhd)-strlen(errhd), +#else + sprintf(errhd+strlen(errhd), +#endif /* HAVE_SNPRINTF */ + GT_("recipient address %s didn't match any local name"), idp->id); } } if (has_nuls) { if (errhd[sizeof("X-Fetchmail-Warning: ")]) +#ifdef HAVE_SNPRINTF + snprintf(errhd+strlen(errhd), sizeof(errhd)-strlen(errhd), "; "); + snprintf(errhd+strlen(errhd), sizeof(errhd)-strlen(errhd), +#else strcat(errhd, "; "); - strcat(errhd, GT_("message has embedded NULs")); + strcat(errhd, +#endif /* HAVE_SNPRINTF */ + GT_("message has embedded NULs")); } if (bad_addresses) { if (errhd[sizeof("X-Fetchmail-Warning: ")]) +#ifdef HAVE_SNPRINTF + snprintf(errhd+strlen(errhd), sizeof(errhd)-strlen(errhd), "; "); + snprintf(errhd+strlen(errhd), sizeof(errhd)-strlen(errhd), +#else strcat(errhd, "; "); - strcat(errhd, GT_("SMTP listener rejected local recipient addresses: ")); + strcat(errhd, +#endif /* HAVE_SNPRINTF */ + GT_("SMTP listener rejected local recipient addresses: ")); errlen = strlen(errhd); for (idp = msgblk.recipients; idp; idp = idp->next) if (idp->val.status.mark == XMIT_RCPTBAD)