Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
To: cygwin AT cygwin DOT com
From: Christian Weinberger <christian DOT weinberger AT directbox DOT com>
Subject:  Re: Security advisory: uw-imap - 3 attachments
Date: Fri, 14 Oct 2005 06:26:34 +0000 (UTC)
Lines: 137
Message-ID:  <Xns96EF55EBBA2D1christianweinberger@80.91.229.5>
User-Agent: Xnews/5.04.25
X-IsSubscribed: yes

> uw-imap (whose maintainer, AFAICS, has yet to respond to reply to 
> Corinna's message) is vulnerable to remote overflow of a buffer in the
> IMAP server leading to execution of arbitrary code.
> 
> The only solution is to upgrade to 2004g (current Cygwin release is
> 2002e!). 

I built 2004g and it nearly builds ootb.

The only patch necessary is for CRAM-MD5 auth. This patch is well known
and has been used for the 2002e version also. All other patches that
have been necessary for 2002e have already been integrated in the 2004g
release. 

I could not post to the cygwin applications list via gmane, so I reply
to the main list. Apologies if this not the way it should be done. 

I´d be glad to assist the maintainer in building a 2004g package for
cygwin. 

I´m facing two minor issues:
- the first is described here in detail:
  http://www.cygwin.com/ml/cygwin/2004-11/msg01137.html
  it has always been there for me (even with the 2002e package), so I
  don´t think it is a new problem
- second, when I use dmail from .procmailrc, it causes a stackdump
  at the end of the delivery process. But all logs are written fine and
  all mail gets delivered, so it is more a cosmetic thing (IMHO)

Attached you find 3 patches:
1) imap-2004c1.cram-md5-auth.patch
It is necessary for cram-md5 to work.

2) imap-2004c1.mbx-by-default.patch (optional)
Local mailboxes are created in MBX format by default, which allows
simultanous rw access by multiple sessions. New mail has to be spooled
to a mbox format mailbox in /var/spool/mail/<user>, but is transfered to
~/Mail/INBOX by UW-IMAP immediately. 

3) imap-2004c1.mailsubdir-Mail.patch (optional)
Mail is stored in the users ~/Mail folder. 

The last two patches make uw-imap behave more compliant to modern UNIX
standards and more capable. These are not real patches, but
configuration options for uw-imap. If you migrate from an older version
of uw-imap that has been configured differently, you have to move the
mailbox files to the new folder localtions. 



Regards,
Christian


begin 644 imap-2004c1.mbx-by-default.patch
M9&EF9B`M875R(&EM87`M,C`P-&,Q+G9A;FEL;&$O<W)C+V]S9&5P+W5N:7 AT O
M36%K969I;&4@:6UA<"TR,#`T8S$O<W)C+V]S9&5P+W5N:7 AT O36%K969I;&4-
M"BTM+2!I;6%P+3(P,#1C,2YV86YI;&QA+W-R8R]O<V1E<"]U;FEX+TUA:V5F
M:6QE"3(P,#0M,3$M,#4@,C,Z,S(Z,C8N,#`P,#`P,#`P("LP,3`P#0HK*RL@
M:6UA<"TR,#`T8S$O<W)C+V]S9&5P+W5N:7 AT O36%K969I;&4),C`P-2TP,RTQ
M,"`Q,#HU.3HP."XP,#`P,#`P,#`@*S`Q,#`-"D!`("TW,BPQ,2`K-S(L,3$@
M0$`-"B!324=465!%/6)S9`T*($-26%194$4]<W1D#0H AT 04-4259%1DE,13TO
M=7-R+VQI8B]N97=S+V%C=&EV90T*+5-03T],1$E2/2]U<W(O<W!O;VP-"BM3
M4$]/3$1)4CTO=F%R+W-P;V]L#0H AT 34%)3%-03T],/20H4U!/3TQ$25(I+VUA
M:6P-"B!.15=34U!/3TP])"A34$]/3$1)4BDO;F5W<PT*(%)32%!!5$@]+W5S
M<B]U8V(O<G-H#0HM3$]#2U!'33TO971C+VUL;V-K#0HK3$]#2U!'33TO=7-R
M+V)I;B]M;&]C:PT*(`T*(`T*(",@1&5F875L="!F;W)M871S(&9O<B!C<F5A
M=&EN9R!N97<@;6%I;&)O>&5S(&%N9"!F;W(@96UP='D@;6%I;&)O>&5S(&EN
M('1H90T*0$`@+3DR+#<@*SDR+#<@0$`-"B`C('-E="!C97)T86EN(&]T:&5R
M(&9O<FUA=',@*&4N9RX@;6)X(&%N9"!M>"D AT 87,@=&AE($5-4%194%)/5$\@
M<VEN8V4@=&AE<V4-"B`C(&9O<FUA=',@8V%N(&YE=F5R(&)E(&5M<'1Y(&9I
M;&5S+@T*(`T*+4-214%415!23U1//75N:7AP<F]T;PT**T-214%415!23U1/
M/6UB>'!R;W1O#0H AT 14U05%E04D]43SUU;FEX<')O=&\-"B`-"B`-"D!`("TR
M-#<L-R`K,C0W+#<@0$`-"B`))"A"54E,1"D AT 8"0H0T%4*2!34$5#24%,4V`@
M3U,])$`@7`T*(`E$149!54Q41%))5D524STB:6UA<"!N;G1P('!O<#,@;6)X
M('5N:7@@<&AI;&4B(%P-"B`)4TE'5%E013UP<W@@0TA%0TM05SUC>6<@3$]'
M24Y05SUC>6<@0U)85%E013US=&0 AT 7`T*+0E34$]/3$1)4CTO=F%R(%P-"BL)
M4U!/3TQ$25(]+W9A<B]S<&]O;"!<#0H@"4%#5$E6149)3$4]+W5S<B]L;V-A
M;"]N97=S+VQI8B]A8W1I=F4 AT 7`T*(`E24TA0051(/2]U<W(O8FEN+W)S:"!<
:#0H@"4)!4T5#1DQ!1U,](BUG("U/(B!<#0H!
`
end


begin 644 imap-2004c1.cram-md5-auth.patch
M9&EF9B`M875R(&EM87`M,C`P-&,Q+G9A;FEL;&$O<W)C+V]S9&5P+W5N:7 AT O
M;&]G7V-Y9RYC(&EM87`M,C`P-&,Q+W-R8R]O<V1E<"]U;FEX+VQO9U]C>6<N
M8PHM+2T@:6UA<"TR,#`T8S$N=F%N:6QL82]S<F,O;W-D97`O=6YI>"]L;V=?
M8WEG+F,),C`P,RTP-"TR-B`P,CHS-SHU,RXP,#`P,#`P,#`@*S`R,#`**RLK
M(&EM87`M,C`P-&,Q+W-R8R]O<V1E<"]U;FEX+VQO9U]C>6<N8PDR,#`U+3`S
M+3$P(#$P.C4T.C$S+C`P,#`P,#`P,"`K,#$P,`I`0"`M,C AT L,3$@*S(X+#(Q
M($!`"B!L;VYG(&QO9VEN<'<@*'-T<G5C="!P87-S=V0@*G!W+&EN="!A<F=C
M+&-H87(@*F%R9W9;72D*('L*("`@=6ED7W0@=6ED(#T@<'<M/G!W7W5I9#L*
M+0D)"0DO*B!M=7-T(&)E('-A;64@=7-E<B!N86UE(&%S(&QA<W0 AT 8VAE8VMP
M=R AT I("HO"BT@(&EF("@A*&-Y9U]U<V5R("8F("%S=')C;7`@*'!W+3YP=U]N
M86UE+&-Y9U]U<V5R*2DI(')E='5R;B!.24P["BT)"0D)+RH AT 9&\@=&AE($EM
M<&5R<V]N871E3&]G9V5D3VY5<V5R*"D@*B\*+2`@8WEG=VEN7W-E=%]I;7!E
M<G-O;F%T:6]N7W1O:V5N("AC>6=?:&1L*3L**PHK("`O*B!T:&4 AT 0U)!32U-
M1#4 AT 8V]D92!F;&]W(&1O97-N)W0 AT 8V%L;"!C:&5C:W!W*"D@*B\**R`@:68@
M*&%U=&A?;60U+G-E<G9E<BD**R`@>PHK("`@(&EF("AC>6=?=7-E<BD AT 9G-?
M9VEV92`H*'9O:60@*BHI("9C>6=?=7-E<BD["BL@("`@8WEG7W5S97(@/2!C
M<'ES='(H<'<M/G!W7VYA;64I.PHK("!]"BL@(&5L<V4**R`@>PHK("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`O*B!M=7-T(&)E('-A;64@=7-E
M<B!N86UE(&%S(&QA<W0 AT 8VAE8VMP=R AT I("HO"BL@("`@:68@*"$H8WEG7W5S
M97(@)B8@(7-T<F-M<"`H<'<M/G!W7VYA;64L8WEG7W5S97(I*2D@<F5T=7)N
M($Y)3#L**R`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@+RH AT 9&\@
M=&AE($EM<&5R<V]N871E3&]G9V5D3VY5<V5R*"D@*B\**R`@("!C>6=W:6Y?
M<V5T7VEM<&5R<V]N871I;VY?=&]K96X@*&-Y9U]H9&PI.PHK("!]"B`*("`@
M<F5T=7)N("$H<V5T9VED("AP=RT^<'=?9VED*2!\?"!I;FET9W)O=7!S("AC
M>6=?=7-E<BQP=RT^<'=?9VED*2!\?`HM"2`@('-E='5I9"`H=6ED*2D["BL@
M("`@("`@("`@('-E='5I9"`H=6ED*2D["B!]"D]N;'D@:6X@:6UA<"TR,#`T
*8S$Z('1M86EL"@``
`
end


begin 644 imap-2004c1.mailsubdir-Mail.patch
M9&EF9B`M875R(&EM87`M,C`P-&,Q+G9A;FEL;&$O<W)C+V]S9&5P+W5N:7 AT O
M96YV7W5N:7 AT N8R!I;6%P+3(P,#1C,2]S<F,O;W-D97`O=6YI>"]E;G9?=6YI
M>"YC#0HM+2T@:6UA<"TR,#`T8S$N=F%N:6QL82]S<F,O;W-D97`O=6YI>"]E
M;G9?=6YI>"YC"3(P,#0M,#DM,3,@,C,Z,S$Z,3DN,#`P,#`P,#`P("LP,C`P
M#0HK*RL@:6UA<"TR,#`T8S$O<W)C+V]S9&5P+W5N:7 AT O96YV7W5N:7 AT N8PDR
M,#`U+3`S+3$P(#$P.C4S.C`Y+C`P,#`P,#`P,"`K,#$P,`T*0$`@+3(Y+#<@
M*S(Y+#<@0$`-"B!S=&%T:6,@8VAA<B`J;7E-86EL8F]X1&ER(#T AT 3DE,.R\J
M(&UA:6QB;W@@9&ER96-T;W)Y(&YA;64@*B\-"B!S=&%T:6,@8VAA<B`J;7E,
M;V-A;$AO<W0@/2!.24P["2\J(&QO8V%L(&AO<W0@;F%M92`J+PT*('-T871I
M8R!C:&%R("IM>4YE=W-R8R`]($Y)3#L)+RH@;F5W<W)C(&9I;&4@;F%M92`J
M+PT*+7-T871I8R!C:&%R("IM86EL<W5B9&ER(#T AT 3DE,.PDO*B!M86EL('-U
M8F1I<F5C=&]R>2!N86UE("HO#0HK<W1A=&EC(&-H87(@*FUA:6QS=6)D:7(@
M/2`B36%I;"(["2\J(&UA:6P@<W5B9&ER96-T;W)Y(&YA;64@*B\-"B!S=&%T
M:6,@8VAA<B`J<WES26YB;W@@/2!.24P["2\J('-Y<W1E;2!I;F)O>"!N86UE
M("HO#0H@<W1A=&EC(&-H87(@*FYE=W-!8W1I=F4@/2!.24P["2\J(&YE=W,@
M86-T:79E(&9I;&4@*B\-"B!S=&%T:6,@8VAA<B`J;F5W<U-P;V]L(#T AT 3DE,
4.PDO*B!N97=S('-P;V]L("HO#0J@
`
end



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/