Bug 74318

Summary: version update and security patch to mail/up-imapproxy port
Product: Ports & Packages Reporter: Guy Antony Halse <guy>
Component: Individual Port(s)Assignee: Martin Blapp <mbr>
Status: Closed FIXED    
Severity: Affects Only Me CC: guy
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Guy Antony Halse 2004-11-24 14:50:31 UTC
The current version of the mail/up-imapproxy port is out-of-date.  It also
contains a security vulnerability that allows a remote users to crash the
daemon, resulting in a denial of service.  This vulnerability is detailed in
several places, including
http://www.packetstormsecurity.org/0411-advisories/up-imapproxy.txt,
http://www.securityfocus.com/bid/11630,
http://www.securiteam.com/unixfocus/6V00E20BPM.html, etc.

While there is no patch for the vulnerability available from the original
site (http://www.imapproxy.org/), PacketStorm have made one available at
http://www.packetstormsecurity.org/0411-advisories/up-imapproxy.txt.  The
diff in the Fix: section includes this patch with the paths reworked to
apply cleanly.

The Fix: diff also increments the version number to install the latest
available stable version.

How-To-Repeat: 
Nessus's IMAP buffer overrun test (ID #10125) will crash the in.imapproxyd
daemon as will anything that performs the same sort of test.
Comment 1 Guy Antony Halse 2004-11-24 15:15:28 UTC
I forgot to remove joe's ~ file.  Herewith the same diff, but without
Makefile~

- Guy

-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse@ru.ac.za   Web: http://mombe.org/  IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                                   J.A.P.H



diff -ruN up-imapproxy.old/Makefile up-imapproxy/Makefile
--- up-imapproxy.old/Makefile	Fri Jun  4 19:29:25 2004
+++ up-imapproxy/Makefile	Wed Nov 24 16:18:04 2004
@@ -6,11 +6,10 @@
 #
 
 PORTNAME=	up-imapproxy
-PORTVERSION=	1.2.1
+PORTVERSION=	1.2.2
 CATEGORIES=	mail
 MASTER_SITES=	http://www.imapproxy.org/downloads/
 DISTNAME=	${PORTNAME}-${PORTVERSION}
-EXTRACT_SUFX=	.tar.gz
 
 MAINTAINER=	mbr@FreeBSD.org
 COMMENT=	A caching IMAP proxy server
diff -ruN up-imapproxy.old/distinfo up-imapproxy/distinfo
--- up-imapproxy.old/distinfo	Wed May 12 14:47:18 2004
+++ up-imapproxy/distinfo	Wed Nov 24 16:00:07 2004
@@ -1,2 +1,2 @@
-MD5 (up-imapproxy-1.2.1.tar.gz) = debd3edeb7441b9f713aaa9e9d7f2329
-SIZE (up-imapproxy-1.2.1.tar.gz) = 111393
+MD5 (up-imapproxy-1.2.2.tar.gz) = cad615ad5825bfa565e0bf1ae1de2331
+SIZE (up-imapproxy-1.2.2.tar.gz) = 116868
diff -ruN up-imapproxy.old/files/patch-packetsecurity up-imapproxy/files/patch-packetsecurity
--- up-imapproxy.old/files/patch-packetsecurity	Thu Jan  1 02:00:00 1970
+++ up-imapproxy/files/patch-packetsecurity	Wed Nov 24 16:04:44 2004
@@ -0,0 +1,282 @@
+From http://www.packetstormsecurity.org/0411-advisories/up-imapproxy.txt
+
+diff -ru up-imapproxy-1.2.2/include/imapproxy.h up-imapproxy-1.2.2-fixed/include/imapproxy.h
+--- include/imapproxy.h	2004-07-23 16:17:24.000000000 +0300
++++ include/imapproxy.h.orig	2004-11-07 18:51:00.000000000 +0200
+@@ -206,7 +206,7 @@
+     char ReadBuf[ BUFSIZE ];         /* Read Buffer                          */
+     unsigned int BytesInReadBuffer;  /* bytes left in read buffer            */
+     unsigned int ReadBytesProcessed; /* bytes already processed in read buf  */
+-    long LiteralBytesRemaining;      /* num of bytes left to read as literal */
++    unsigned long LiteralBytesRemaining;/* num of bytes left to read as literal */
+     unsigned char NonSyncLiteral;    /* rfc2088 alert flag                   */
+     unsigned char MoreData;          /* flag to tell caller "more data"      */
+     unsigned char TraceOn;           /* trace this transaction?              */
+@@ -304,7 +304,7 @@
+  */
+ extern int IMAP_Write( ICD_Struct *, const void *, int );
+ extern int IMAP_Read( ICD_Struct *, void *, int );
+-extern int IMAP_Line_Read( ITD_Struct * );
++extern int IMAP_Line_Read( ITD_Struct *, int );
+ extern int IMAP_Literal_Read( ITD_Struct * );
+ extern void HandleRequest( int );
+ extern char *memtok( char *, char *, char ** );
+diff -ru up-imapproxy-1.2.2/src/imapcommon.c up-imapproxy-1.2.2-fixed/src/imapcommon.c
+--- src/imapcommon.c	2004-07-23 16:17:25.000000000 +0300
++++ src/imapcommon.c.orig	2004-11-07 18:54:05.000000000 +0200
+@@ -428,7 +428,7 @@
+     
+     /* Read & throw away the banner line from the server */
+     
+-    if ( IMAP_Line_Read( &Server ) == -1 )
++    if ( IMAP_Line_Read( &Server, 0 ) == -1 )
+     {
+ 	syslog(LOG_INFO, "LOGIN: '%s' (%s:%d) failed: No banner line received from IMAP server", Username, ClientAddr, sin_port );
+ 	goto fail;
+@@ -451,7 +451,7 @@
+ 	/*
+ 	 * Read the server response
+ 	 */
+-	if ( ( rc = IMAP_Line_Read( &Server ) ) == -1 )
++	if ( ( rc = IMAP_Line_Read( &Server, 0 ) ) == -1 )
+ 	{
+ 	    syslog(LOG_INFO, "STARTTLS failed: No response from IMAP server after sending STARTTLS command" );
+ 	    goto fail;
+@@ -555,7 +555,7 @@
+ 	/*
+ 	 * the server response should be a go ahead
+ 	 */
+-	if ( ( rc = IMAP_Line_Read( &Server ) ) == -1 )
++	if ( ( rc = IMAP_Line_Read( &Server, 0 ) ) == -1 )
+ 	{
+ 	    syslog(LOG_INFO, "LOGIN: '%s' (%s:%d) failed: Failed to receive go-ahead from IMAP server after sending LOGIN command", Username, ClientAddr, sin_port );
+ 	    goto fail;
+@@ -611,7 +611,7 @@
+      */
+     for ( ;; )
+     {
+-	if ( ( rc = IMAP_Line_Read( &Server ) ) == -1 )
++	if ( ( rc = IMAP_Line_Read( &Server, 0 ) ) == -1 )
+ 	{
+ 	    syslog(LOG_INFO, "LOGIN: '%s' (%s:%d) failed: No response from IMAP server after sending LOGIN command", Username, ClientAddr, sin_port );
+ 	    goto fail;
+@@ -951,7 +951,8 @@
+ extern int IMAP_Literal_Read( ITD_Struct *ITD )
+ {
+     char *fn = "IMAP_Literal_Read()";
+-    int Status, i, j;
++    int Status;
++    unsigned int i, j;
+     struct pollfd fds[2];
+     nfds_t nfds;
+     int pollstatus;
+@@ -1080,10 +1081,11 @@
+  *              process.
+  *--
+  */
+-extern int IMAP_Line_Read( ITD_Struct *ITD )
++extern int IMAP_Line_Read( ITD_Struct *ITD, int useLiterals )
+ {
+     char *CP;
+-    int Status, i, j;
++    int Status;
++    unsigned int i, j;
+     char *fn = "IMAP_Line_Read()";
+     char *EndOfBuffer;
+ 
+@@ -1152,7 +1154,8 @@
+ 		     * string literal is coming next.  How do we know?
+ 		     * If it is, the line will end with {bytecount}.
+ 		     */
+-		    if ( ((CP - ITD->ReadBuf + 1) > 2 ) && ( *(CP - 2) == '}' ))
++		    if ( ((CP - ITD->ReadBuf + 1) > 2 ) && ( *(CP - 2) == '}' )
++			&& useLiterals)
+ 		    {
+ 			char *LiteralEnd;
+ 			char *LiteralStart;
+diff -ru up-imapproxy-1.2.2/src/main.c up-imapproxy-1.2.2-fixed/src/main.c
+--- src/main.c	2004-07-23 16:17:25.000000000 +0300
++++ src/main.c.orig	2004-11-07 18:52:41.000000000 +0200
+@@ -931,7 +931,7 @@
+      * The first thing we get back from the server should be the
+      * banner string.
+      */
+-    BytesRead = IMAP_Line_Read( &itd );
++    BytesRead = IMAP_Line_Read( &itd, 0 );
+     if ( BytesRead == -1 )
+     {
+ 	syslog( LOG_ERR, "%s: Error reading banner line from server on initial connection: %s -- Exiting.", fn, strerror( errno ) );
+@@ -973,7 +973,7 @@
+      * The second will be the OK response with the tag in it.
+      */
+ 
+-    BytesRead = IMAP_Line_Read( &itd );
++    BytesRead = IMAP_Line_Read( &itd, 0 );
+     if ( BytesRead == -1 )
+     {
+ 	syslog( LOG_ERR, "%s: Failed to read capability response from server: %s --  exiting.", fn, strerror( errno ) );
+@@ -986,7 +986,7 @@
+     
+ 
+     /* Now read the tagged response and make sure it's OK */
+-    BytesRead = IMAP_Line_Read( &itd );
++    BytesRead = IMAP_Line_Read( &itd, 0 );
+     if ( BytesRead == -1 )
+     {
+ 	syslog( LOG_ERR, "%s: Failed to read capability response from server: %s -- exiting.", fn, strerror( errno ) );
+@@ -1011,7 +1011,7 @@
+     }
+     
+     /* read the final OK logout */
+-    BytesRead = IMAP_Line_Read( &itd );
++    BytesRead = IMAP_Line_Read( &itd, 0 );
+     if ( BytesRead == -1 )
+     {
+ 	syslog(LOG_WARNING, "%s: IMAP_Line_Read() failed on LOGOUT -- Ignoring", fn );
+diff -ru up-imapproxy-1.2.2/src/request.c up-imapproxy-1.2.2-fixed/src/request.c
+--- src/request.c	2004-07-23 16:17:26.000000000 +0300
++++ src/request.c.orig	2004-11-07 19:05:09.000000000 +0200
+@@ -433,6 +433,7 @@
+     }
+     
+     strncpy( TraceUser, Username, sizeof TraceUser - 1 );
++    TraceUser[sizeof TraceUser - 1] = '\0';
+     
+     snprintf( SendBuf, BufLen, "%s OK Tracing enabled\r\n", Tag );
+     if ( IMAP_Write( itd->conn, SendBuf, strlen(SendBuf) ) == -1 )
+@@ -611,7 +612,7 @@
+      * The response from the client should be a base64 encoded version of the
+      * username.
+      */
+-    BytesRead = IMAP_Line_Read( Client );
++    BytesRead = IMAP_Line_Read( Client, 0 );
+     
+     if ( BytesRead == -1 )
+     {
+@@ -654,7 +655,7 @@
+         return( -1 );
+     }
+ 
+-    BytesRead = IMAP_Line_Read( Client );
++    BytesRead = IMAP_Line_Read( Client, 0 );
+     
+     if ( BytesRead == -1 )
+     {
+@@ -1097,7 +1098,7 @@
+ 	{
+ 	    do 
+ 	    {
+-		status = IMAP_Line_Read( Client );
++		status = IMAP_Line_Read( Client, 1 );
+ 		
+ 		if ( status == -1 )
+ 		{
+@@ -1152,7 +1153,7 @@
+ 				if ( Server->LiteralBytesRemaining )
+ 				    break;
+ 				
+-				status = IMAP_Line_Read( Server );
++				status = IMAP_Line_Read( Server, 1 );
+ 				
+ 				/*
+ 				 * If there's an error reading from the server,
+@@ -1266,7 +1267,7 @@
+ 	    if ( ! Client->NonSyncLiteral )
+ 	    {
+ 		/* we have to wait for a go-ahead */
+-		status = IMAP_Line_Read( Server );
++		status = IMAP_Line_Read( Server, 0 );
+ 		if ( Server->TraceOn )
+ 		{
+ 		    snprintf( TraceBuf, sizeof TraceBuf - 1, "\n\n-----> C= %d %s SERVER: sd [%d]\n", time( 0 ), ( (TraceUser) ? TraceUser : "Null username" ), Server->conn->sd );
+@@ -1473,7 +1474,19 @@
+ 	
+ 	PollFailCount = 0;
+ 
+-	BytesRead = IMAP_Line_Read( &Client );
++        while ( Client.LiteralBytesRemaining )
++        {
++            BytesRead = IMAP_Literal_Read( &Client );
++
++            if ( BytesRead == -1 )
++            {
++                IMAPCount->CurrentClientConnections--;
++                close( Client.conn->sd );
++                return;
++            }
++        }
++
++	BytesRead = IMAP_Line_Read( &Client, 1 );
+ 	
+ 	if ( BytesRead == -1 )
+ 	{
+@@ -1530,6 +1543,7 @@
+ 	 * appropriate...
+ 	 */
+ 	strncpy( S_Tag, Tag, MAXTAGLEN - 1 );
++	S_Tag[MAXTAGLEN - 1] = '\0';
+ 	if ( ! strcasecmp( (const char *)Command, "NOOP" ) )
+ 	{
+ 	    cmd_noop( &Client, S_Tag );
+@@ -1569,6 +1583,7 @@
+ 		    if ( Tag )
+ 		    {
+ 			strncpy( S_Tag, Tag, MAXTAGLEN - 1 );
++			S_Tag[MAXTAGLEN - 1] = '\0';
+ 			cmd_logout( &Client, S_Tag );
+ 		    }
+ 		}
+@@ -1641,7 +1656,8 @@
+ 		}
+ 		continue;
+ 	    }
+-	    strncpy( S_UserName, Username, sizeof S_UserName - 1 );	    
++	    strncpy( S_UserName, Username, sizeof S_UserName - 1 );
++	    S_UserName[sizeof S_UserName - 1] = '\0';
+ 	    
+ 	    /*
+ 	     * Clients can send the password as a literal bytestream.  Check
+@@ -1720,7 +1736,7 @@
+ 		 * IMAP_Literal_Read() right now since it works properly
+ 		 * otherwise.
+ 		 */
+-		rc = IMAP_Line_Read( &Client );
++		rc = IMAP_Line_Read( &Client, 1 );
+ 	    }
+ 	    else
+ 	    {
+@@ -1748,6 +1764,7 @@
+ 		
+ 		*CP = '\0';
+ 		strncpy( S_Password, Lasts, sizeof S_Password - 1 );
++		S_Password[sizeof S_Password - 1] = '\0';
+ 	    }
+ 	    
+ 
+@@ -1779,6 +1796,7 @@
+ 		if ( Tag )
+ 		{
+ 		    strncpy( S_Tag, Tag, MAXTAGLEN - 1 );
++		    S_Tag[MAXTAGLEN - 1] = '\0';
+ 		    cmd_logout( &Client, S_Tag );
+ 		}
+ 	    }
+diff -ru up-imapproxy-1.2.2/src/select.c up-imapproxy-1.2.2-fixed/src/select.c
+--- src/select.c	2004-07-23 16:17:25.000000000 +0300
++++ src/select.c.orig	2004-11-07 18:56:01.000000000 +0200
+@@ -356,7 +356,7 @@
+ 	    return( -1 );
+ 	}
+ 	
+-	rc = IMAP_Line_Read( Server );
++	rc = IMAP_Line_Read( Server, 0 );
+ 	
+ 	if ( ( rc == -1 ) || ( rc == 0 ) )
+ 	{
+@@ -417,6 +417,7 @@
+     ISC->ISCTime = time( 0 );
+ 
+     strncpy( (char *)ISC->MailboxName, (const char *)MailboxName, MAXMAILBOXNAME - 1 );
++    ISC->MailboxName[MAXMAILBOXNAME - 1] = '\0';
+ 
+     return( 0 );
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2004-11-25 16:51:39 UTC
Responsible Changed
From-To: freebsd-ports-bugs->mbr

Over to maintainer.
Comment 3 Martin Blapp freebsd_committer freebsd_triage 2005-02-27 13:36:43 UTC
State Changed
From-To: open->closed

A fix for this has been committed some time ago. The 
now committed version 1.2.3 contains the fixes too.