rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.2.36-cve2019_11500_part3of4.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   158b54933b2f6af96ffb19a32389ee659a0972f3
  2.   SOURCES
  3.   dovecot-2.2.36-cve2019_11500_part3of4.patch
Blob History Raw
158b54 
From 7ce9990a5e6ba59e89b7fe1c07f574279aed922c Mon Sep 17 00:00:00 2001
158b54 
From: Timo Sirainen <timo.sirainen@open-xchange.com>
158b54 
Date: Fri, 10 May 2019 19:43:55 +0300
158b54 
Subject: [PATCH 1/2] lib-managesieve: Don't accept strings with NULs
158b54
158b54 
ManageSieve doesn't allow NULs in strings.
158b54
158b54 
This fixes a bug with unescaping a string with NULs: str_unescape() could
158b54 
have been called for memory that points outside the allocated string,
158b54 
causing heap corruption. This could cause crashes or theoretically even
158b54 
result in remote code execution exploit.
158b54
158b54 
Found by Nick Roessler and Rafi Rubin
158b54 
---
158b54 
 src/lib-managesieve/managesieve-parser.c | 5 +++++
158b54 
 1 file changed, 5 insertions(+)
158b54
158b54 
diff --git a/src/lib-managesieve/managesieve-parser.c b/src/lib-managesieve/managesieve-parser.c
158b54 
index d3eb2101..f5f9d323 100644
158b54 
--- a/src/lib-managesieve/managesieve-parser.c
158b54 
+++ b/src/lib-managesieve/managesieve-parser.c
158b54 
@@ -258,6 +258,11 @@ managesieve_parser_read_string(struct managesieve_parser *parser,
158b54 
 			break;
158b54 
 		}
158b54
158b54 
+		if (data[i] == '\0') {
158b54 
+			parser->error = "NULs not allowed in strings";
158b54 
+			return FALSE;
158b54 
+		}
158b54 
+
158b54 
 		if (data[i] == '\\') {
158b54 
 			if (i+1 == data_size) {
158b54 
 				/* known data ends with '\' - leave it to
158b54 
--
158b54 
2.11.0
158b54

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation