2008-10-20 Dave McMurtrie <davemcmurtrie@gmail.com> * request.c: Fixed buffer overflow condition when doing AUTH LOGIN. Applied patch by Michael M. Slusarz to make internal commands RFC compliant (prepend with X instead of P_). Added support for XPROXYREUSE response. *up-imapproxy-1.2.7_rc2 (01 Jun 2009) 01 Jun 2009; Samuli Suominen <ssuominen@gentoo.org> +up-imapproxy-1.2.7_rc2.ebuild: Version bump wrt #177780, thanks to Janne Pikkarainen for reporting.
Stabilizing this in its current form is a bad idea. There were TWO buffer overflows reported, but rc2 only fixes one. During compilation: src/request.c: In function 'HandleRequest': src/request.c:1943: warning: too few arguments for format In function 'snprintf', inlined from 'cmd_authenticate_login' at src/request.c:781: /usr/include/bits/stdio2.h:65: warning: call to __builtin___snprintf_chk will always overflow destination buffer ..and as expected it immediately crashes on startup (during the login phase). Therefore the "second half" of the patch from bug#177780 also needs to be applied. I intentionally didn't update the build for 1.2.7 since I wanted to wait for the final version. There were also reports on the mailing list that apparently 1.2.7 has a few other problems, so I'd vote for stabilizing 1.2.6+patch instead. It has the security fixes courtesy of RedHat and has been working fine "in production" for months without a single problem.
Give me a minute or two.
OK, I've dropped keyword from the 1.2.7_rc2 and added 1.2.6 with some Debian patchset and the security fix. Please test and mark stable 1.2.6 instead.
Verified that 1.2.6 works. Thank you :)
Arches, please test and mark stable: =net-mail/up-imapproxy-1.2.6 Target keywords : "amd64 x86"
x86 stable
amd64 stable, all arches done.
Vulnerable version removed from tree.
Security, this solves also the https://bugzilla.redhat.com/show_bug.cgi?id=465859 Not only the one mentioned in URL..
any news on this one? been ready for glsa over an year now :)
GLSA request filed.
This issue has been fixed since Jun 03, 2009. No GLSA will be issued.