[Mimedefang] SECURITY: Patch for MIME-tools
David F. Skoll
dfs at roaringpenguin.com
Tue Oct 26 21:52:50 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
There's a bug in MIME-tools: It mis-parses things like
boundary=""
and apparently there's a virus that uses an empty boundary. You probably
want to patch your MIME-tools installation with this patch; I'll be
releasing a new MIME-tools tomorrow.
Patch below is against MIME-tools 5.414. Thanks to Stephane Lentz
and Julian Field for discovering the bug and bringing it to my attention.
Regards,
David.
===================================================================
RCS file: /home/cvsroot/MIME-tools/lib/MIME/Field/ParamVal.pm,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
- --- MIME-tools/lib/MIME/Field/ParamVal.pm 2004/10/06 18:55:27 1.3
+++ MIME-tools/lib/MIME/Field/ParamVal.pm 2004/10/27 01:41:02 1.4
@@ -236,7 +236,7 @@ sub parse_params {
$raw =~ m/\G$SPCZ\;$SPCZ/og or last; # skip leading separator
$raw =~ m/\G($PARAMNAME)\s*=\s*/og or last; # give up if not a param
$param = lc($1);
- - $raw =~ m/\G(\"([^\"]+)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last; # give up if no value"
+ $raw =~ m/\G(\"([^\"]*)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last; # give up if no value"
my ($qstr, $str, $enctoken, $badtoken, $token) = ($1, $2, $3, $4, $5);
if (defined($badtoken)) {
# Strip leading/trailing whitespace from badtoken
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFBfv93dB1gkTPXMwsRAsrjAJ0fjmZasQ7pY/zFHHmPtPZfJm1SOQCfcYYi
oz3sasoVDlAl6Y1Wby+Ly1Q=
=J+wt
-----END PGP SIGNATURE-----
More information about the MIMEDefang
mailing list