Fix parsing of IPv6 address possibly result in privilege escalation.

This commit is contained in:
joerg 2006-03-06 22:49:16 +00:00
parent a0237ff647
commit 0e07b73183
4 changed files with 42 additions and 3 deletions

View file

@ -1,7 +1,7 @@
# $NetBSD: Makefile,v 1.30 2006/02/13 23:20:32 joerg Exp $
# $NetBSD: Makefile,v 1.31 2006/03/06 22:49:16 joerg Exp $
DISTNAME= exim-3.36
PKGREVISION= 6
PKGREVISION= 7
CATEGORIES= mail net
MASTER_SITES= ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim3/ \
http://public.planetmirror.com.au/pub/exim/exim3/

View file

@ -1,4 +1,4 @@
$NetBSD: distinfo,v 1.8 2006/02/13 23:20:32 joerg Exp $
$NetBSD: distinfo,v 1.9 2006/03/06 22:49:16 joerg Exp $
SHA1 (exim-3.36.tar.bz2) = 2a06a2858ebf8cdedf2e41fa3f258b5e468e270d
RMD160 (exim-3.36.tar.bz2) = 2654601eaf54fc15c1ebeabfee53c828f2fd22dd
@ -17,3 +17,5 @@ SHA1 (patch-ak) = 59ec9e8726c00237d631349cf963b2a5112d75d6
SHA1 (patch-al) = dd1263e5d8dd18c6ea1bfbe79cee74d3bc76f4c4
SHA1 (patch-am) = 26f66062bb133340ed2b336008673a78bd017e9e
SHA1 (patch-an) = 7d40d720613b88772bb69993ffbfc754c9310acb
SHA1 (patch-ao) = b96e99cf56f205a7273759a2f090c1eed188cc36
SHA1 (patch-ap) = bba7a0412976e7c022a48ed47207e9d9b42f073f

View file

@ -0,0 +1,13 @@
$NetBSD: patch-ao,v 1.1 2006/03/06 22:49:16 joerg Exp $
--- src/lookups/dnsdb.c.orig 2006-02-14 16:38:38.000000000 +0100
+++ src/lookups/dnsdb.c
@@ -116,7 +116,7 @@ if (equals != NULL)
/* If the type is PTR, we have to construct the relevant magic lookup
key. */
-if (type == T_PTR)
+if (type == T_PTR && string_is_ip_address(keystring, NULL))
{
char *p = keystring + (int)strlen(keystring);
char *pp = buffer;

View file

@ -0,0 +1,24 @@
$NetBSD: patch-ap,v 1.1 2006/03/06 22:49:16 joerg Exp $
--- src/host.c.orig 2006-02-14 16:41:01.000000000 +0100
+++ src/host.c
@@ -620,12 +620,18 @@ if (strchr(address, ':') != NULL)
if (*p == ':') p++;
- /* Split the address into components separated by colons. */
+ /* Split the address into components separated by colons. The input address
+ is supposed to be checked for syntax. There was a case where this was
+ overlooked; to guard against that happening again, check here and crash if
+ there is a violation. */
while (*p != 0)
{
int len = strcspn(p, ":");
if (len == 0) nulloffset = ci;
+ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+ address);
component[ci++] = p;
p += len;
if (*p == ':') p++;