117796 – [security update] mail/perdition to 1.17.1

no flags

Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication.

Vulnerable versions: Perdition <= 1.17

Fix: Update to 1.17.1

This files are diffs are from the perdition src code and should go to ports/mail/perdition/files. This are NOT diffs agains old perdition/files/*




Please delete this patches in /files:
patch-perdition::db::daemon::Makefile.in (not necessary anymore)
patch-perdition::Makefile.in (replaced by new patch-perdition-Makefile.in)
patch-perdition-db-ldap-perditiondb_ldap (not necessary anymore)--c6cW2K3Xvt9vXKboA71Im2CD0lYsbGPGoGVw3MCXA25Ucb4l
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

diff -ruN  perdition.orig/Makefile perdition/Makefile

--- perdition.orig/Makefile	2007-08-10 15:49:44.000000000 +0200
+++ perdition/Makefile	2007-11-02 23:11:43.000000000 +0100
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	perdition
-PORTVERSION=	1.17
+PORTVERSION=	1.17.1
 CATEGORIES=	mail net security
 MASTER_SITES=	http://www.vergenet.net/linux/perdition/download/${PORTVERSION}/
 
@@ -31,7 +31,7 @@
 MAKE_ENV+=	DOCSDIR=${DOCSDIR}
 CONFIGURE_ARGS+=	--disable-daemon-map
 
-INSTALLS_SHLIB=	yes
+USE_LDCONFIG=	yes
 
 ##
 ## Available knobs:
@@ -122,7 +122,9 @@
 
 .if defined(WITH_OPENLDAP)
 USE_OPENLDAP=		YES
-CONFIGURE_ARGS+=	--enable-ldap --with-ldap-schema-directory=${LOCALBASE}/etc/openldap/schema/
+CONFIGURE_ARGS+=	--enable-ldap \
+			--with-ldap-schema-directory=${LOCALBASE}/etc/openldap/schema/ \
+			--disable-ldap-doc
 PLIST_SUB+=		OPENLDAP=""
 MAN8+=			perditiondb_ldap_makedb.8
 .else
How-To-Repeat: Example: perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143 
if you got NO error message you are vulnerable.

More information: http://www.sec-consult.com/300.html