Fix parsing of IPv6 address possibly result in privilege escalation.

2006-03-06 22:49:16 +00:00 · 2006-03-06 22:49:16 +00:00 · 0e07b73183
commit 0e07b73183
parent a0237ff647
4 changed files with 42 additions and 3 deletions
--- a/mail/exim3/Makefile
+++ b/mail/exim3/Makefile
@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.30 2006/02/13 23:20:32 joerg Exp $
+# $NetBSD: Makefile,v 1.31 2006/03/06 22:49:16 joerg Exp $

 DISTNAME=	exim-3.36
-PKGREVISION=	6
+PKGREVISION=	7
 CATEGORIES=	mail net
 MASTER_SITES=	ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim3/ \
 		http://public.planetmirror.com.au/pub/exim/exim3/
--- a/mail/exim3/distinfo
+++ b/mail/exim3/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2006/02/13 23:20:32 joerg Exp $
+$NetBSD: distinfo,v 1.9 2006/03/06 22:49:16 joerg Exp $

 SHA1 (exim-3.36.tar.bz2) = 2a06a2858ebf8cdedf2e41fa3f258b5e468e270d
 RMD160 (exim-3.36.tar.bz2) = 2654601eaf54fc15c1ebeabfee53c828f2fd22dd
@ -17,3 +17,5 @@ SHA1 (patch-ak) = 59ec9e8726c00237d631349cf963b2a5112d75d6
 SHA1 (patch-al) = dd1263e5d8dd18c6ea1bfbe79cee74d3bc76f4c4
 SHA1 (patch-am) = 26f66062bb133340ed2b336008673a78bd017e9e
 SHA1 (patch-an) = 7d40d720613b88772bb69993ffbfc754c9310acb
+SHA1 (patch-ao) = b96e99cf56f205a7273759a2f090c1eed188cc36
+SHA1 (patch-ap) = bba7a0412976e7c022a48ed47207e9d9b42f073f
--- a/mail/exim3/patches/patch-ao
+++ b/mail/exim3/patches/patch-ao
@ -0,0 +1,13 @@
+$NetBSD: patch-ao,v 1.1 2006/03/06 22:49:16 joerg Exp $
+
+--- src/lookups/dnsdb.c.orig	2006-02-14 16:38:38.000000000 +0100
+++ src/lookups/dnsdb.c
+@@ -116,7 +116,7 @@ if (equals != NULL)
+ /* If the type is PTR, we have to construct the relevant magic lookup
+ key. */
+ 
+-if (type == T_PTR)
+if (type == T_PTR && string_is_ip_address(keystring, NULL))
+   {
+   char *p = keystring + (int)strlen(keystring);
+   char *pp = buffer;
--- a/mail/exim3/patches/patch-ap
+++ b/mail/exim3/patches/patch-ap
@ -0,0 +1,24 @@
+$NetBSD: patch-ap,v 1.1 2006/03/06 22:49:16 joerg Exp $
+
+--- src/host.c.orig	2006-02-14 16:41:01.000000000 +0100
+++ src/host.c
+@@ -620,12 +620,18 @@ if (strchr(address, ':') != NULL)
+ 
+   if (*p == ':') p++;
+ 
+-  /* Split the address into components separated by colons. */
+  /* Split the address into components separated by colons. The input address
+  is supposed to be checked for syntax. There was a case where this was
+  overlooked; to guard against that happening again, check here and crash if
+  there is a violation. */
+ 
+   while (*p != 0)
+     {
+     int len = strcspn(p, ":");
+     if (len == 0) nulloffset = ci;
+    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+      address);
+     component[ci++] = p;
+     p += len;
+     if (*p == ':') p++;