Patch a remotely exploitable root buffer overflow, as reported by a

nruns.com security advisory published on the Full-Disclosure list.

2 files changed, 130 insertions, 1 deletions

diff --git a/databases/cyrus-imspd/Makefile b/databases/cyrus-imspd/Makefile
index 968fd1892afe..225e1b00838c 100644
--- a/databases/cyrus-imspd/Makefile
+++ b/databases/cyrus-imspd/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	cyrus-imspd
 PORTVERSION= 	1.6a3
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	databases mail
 MASTER_SITES=	ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \
 		ftp://ftp.hanse.de/sites/transit/mirror/ftp.andrew.cmu.edu/pub/cyrus-mail/
diff --git a/databases/cyrus-imspd/files/patch-imsp::abook.c b/databases/cyrus-imspd/files/patch-imsp::abook.c
new file mode 100644
index 000000000000..ca6cae45d264
--- /dev/null
+++ b/databases/cyrus-imspd/files/patch-imsp::abook.c
@@ -0,0 +1,129 @@
+--- imsp/abook.c.orig	Mon Dec 15 15:52:51 2003
++++ imsp/abook.c	Mon Dec 15 15:58:41 2003
+@@ -68,8 +68,9 @@
+ /* generate the database name for an address book
+  *  returns -1 for invalid name, otherwise returns length of owner name
+  */
+-static int abook_dbname(dbname, name)
++static int abook_dbname(dbname, name, dbnamelen)
+     char *dbname, *name;
++    size_t dbnamelen;
+ {
+     char *split;
+     int len = strlen(name), ownerlen;
+@@ -86,7 +87,9 @@
+ 	ownerlen = split - name;
+     }
+ 
+-    sprintf(dbname, abookdb, ownerlen, name, name);
++    if (snprintf(dbname, dbnamelen, abookdb, ownerlen, name,
++      name) >= dbnamelen)
++	    return (-1);
+ 
+     return (ownerlen);
+ }
+@@ -104,7 +107,7 @@
+     long mask = 0;
+ 
+     /* look up the database */
+-    len = abook_dbname(dbname, name);
++    len = abook_dbname(dbname, name, sizeof(dbname));
+     if (len < 0) return (0);
+     
+     /* get the ACL */
+@@ -161,7 +164,7 @@
+ 	while (dot >= cname && *dot != '.') --dot;
+ 	if (dot >= cname) *dot = '\0';
+ 	sdb_get(abooks, cname, SDB_ICASE, pacl);
+-	abook_dbname(dbname, cname);
++	abook_dbname(dbname, cname, sizeof(dbname));
+ 	exists = sdb_check(dbname);
+ 	if (exists == 0) mask = abook_rights(id, cname, *pacl);
+         if (dot >= cname) --dot;
+@@ -212,7 +215,7 @@
+     state->kv = NULL;
+     *count = 0;
+     *freedata = 0;
+-    if (abook_dbname(dbname, name) < 0) return (NULL);
++    if (abook_dbname(dbname, name, sizeof(dbname)) < 0) return (NULL);
+ 
+ #ifdef HAVE_LDAP
+     if (abook_usesldap(id, name)) {
+@@ -348,7 +351,7 @@
+     }
+ #endif
+ 
+-    if (abook_dbname(dbname, name) < 0) return (AB_FAIL);
++    if (abook_dbname(dbname, name, sizeof(dbname)) < 0) return (AB_FAIL);
+ 
+     /* start match */
+     if (!fcount) {
+@@ -481,7 +484,8 @@
+     int ownerlen, result = 0;
+ 
+     /* find abook, and make sure it doesn't exist */
+-    if ((ownerlen = abook_dbname(dbname, name)) < 0) return (AB_FAIL);
++    if ((ownerlen = abook_dbname(dbname, name, sizeof(dbname))) < 0)
++	return (AB_FAIL);
+     if (sdb_check(dbname) == 0) return (AB_EXIST);
+ 
+ #if 0
+@@ -562,7 +566,7 @@
+     char *sep, *value;
+ 
+     /* find abook, and make sure it exists */
+-    if ((ownerlen = abook_dbname(dbname, name)) < 0) {
++    if ((ownerlen = abook_dbname(dbname, name, sizeof(dbname))) < 0) {
+ 	return (AB_FAIL);
+     }
+     if (ownerlen == strlen(name) && auth_level(id) != AUTH_ADMIN) {
+@@ -630,8 +634,8 @@
+ 
+     /* make sure names are valid */
+     if (!strcasecmp(name, newname) ||
+-	(osrclen = abook_dbname(dbsrc, name)) < 0 ||
+-	(odstlen = abook_dbname(dbdst, newname)) < 0) {
++	(osrclen = abook_dbname(dbsrc, name, sizeof(dbsrc))) < 0 ||
++	(odstlen = abook_dbname(dbdst, newname, sizeof(dbdst))) < 0) {
+ 	return (AB_FAIL);
+     }
+     if (sdb_check(dbsrc) < 0) return (AB_NOEXIST);
+@@ -734,7 +738,8 @@
+     int i, result, ownerlen, maxfieldlen, len;
+     long delta;
+ 
+-    if ((ownerlen = abook_dbname(dbname, name)) < 0) return (AB_FAIL);
++    if ((ownerlen = abook_dbname(dbname, name, sizeof(dbname))) < 0)
++	return (AB_FAIL);
+     sprintf(uname, "%.*s", ownerlen, name);
+ 
+     /* check for invalid characters in alias or field */
+@@ -844,7 +849,8 @@
+ 	return (AB_PERM);
+     }
+ 
+-    if ((ownerlen = abook_dbname(dbname, name)) < 0) return (AB_FAIL);
++    if ((ownerlen = abook_dbname(dbname, name, sizeof(dbname))) < 0)
++	return (AB_FAIL);
+ 
+     /* check for invalid characters in alias */
+     for (scan = alias; *scan && *scan != '*' && *scan != '%'; ++scan);
+@@ -910,7 +916,8 @@
+     }
+ 
+     /* make sure db exists */
+-    if ((ownerlen = abook_dbname(dbname, name)) < 0) return (AB_FAIL);
++    if ((ownerlen = abook_dbname(dbname, name, sizeof(dbname))) < 0)
++	return (AB_FAIL);
+     if (sdb_check(dbname) < 0) return (AB_NOEXIST);
+ 
+     /* lock acl db */
+@@ -977,7 +984,7 @@
+     char *acl;
+     
+     /* look up the database */
+-    if (abook_dbname(dbname, name) < 0) return (NULL);
++    if (abook_dbname(dbname, name, sizeof(dbname)) < 0) return (NULL);
+ 
+     /* make sure db exists */
+     if (sdb_check(dbname) < 0) return (NULL);