Add patch to fix arbitrary code execution via CalDAV (Closes: CVE-2019-11356)
Xavier Guimard
4 years ago
0 | Description: <short summary of the patch> | |
1 | Description: Fix for CVE-2019-11356 | |
2 | Author: Ken Murchison <murch@fastmail.com> | |
3 | Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/a5779db8 | |
4 | Bug: https://security-tracker.debian.org/tracker/CVE-2019-11356 | |
5 | Forwarded: not-needed | |
6 | Reviewed-By: Xavier Guimard <yadd@debian.org> | |
7 | Last-Update: 2019-06-07 | |
8 | ||
9 | --- a/imap/http_caldav.c | |
10 | +++ b/imap/http_caldav.c | |
11 | @@ -2593,7 +2593,7 @@ | |
12 | /* Check if this is an empty property error */ | |
13 | char propname[256]; | |
14 | if (sscanf(errstr, | |
15 | - "No value for %s property", propname) == 1) { | |
16 | + "No value for %255s property", propname) == 1) { | |
17 | /* Empty LOCATION is OK */ | |
18 | if (!strcasecmp(propname, "LOCATION")) continue; | |
19 | if (!strcasecmp(propname, "COMMENT")) continue; | |
20 | --- a/imap/httpd.c | |
21 | +++ b/imap/httpd.c | |
22 | @@ -1529,7 +1529,7 @@ | |
23 | memset(&tm, 0, sizeof(struct tm)); | |
24 | tm.tm_isdst = -1; | |
25 | sscanf(time, "%02d:%02d:%02d", &tm.tm_hour, &tm.tm_min, &tm.tm_sec); | |
26 | - sscanf(date, "%s %2d %4d", month, &tm.tm_mday, &tm.tm_year); | |
27 | + sscanf(date, "%3s %2d %4d", month, &tm.tm_mday, &tm.tm_year); | |
28 | tm.tm_year -= 1900; | |
29 | for (tm.tm_mon = 0; tm.tm_mon < 12; tm.tm_mon++) { | |
30 | if (!strcmp(month, monthname[tm.tm_mon])) break; |