[Mimedefang] SECURITY: Patch for MIME-tools

David F. Skoll dfs at roaringpenguin.com
Tue Oct 26 21:52:50 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

There's a bug in MIME-tools:  It mis-parses things like

	boundary=""

and apparently there's a virus that uses an empty boundary.  You probably
want to patch your MIME-tools installation with this patch; I'll be
releasing a new MIME-tools tomorrow.

Patch below is against MIME-tools 5.414.  Thanks to Stephane Lentz
and Julian Field for discovering the bug and bringing it to my attention.

Regards,

David.


===================================================================
RCS file: /home/cvsroot/MIME-tools/lib/MIME/Field/ParamVal.pm,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
- --- MIME-tools/lib/MIME/Field/ParamVal.pm	2004/10/06 18:55:27	1.3
+++ MIME-tools/lib/MIME/Field/ParamVal.pm	2004/10/27 01:41:02	1.4
@@ -236,7 +236,7 @@ sub parse_params {
 	$raw =~ m/\G$SPCZ\;$SPCZ/og or last;             # skip leading separator
 	$raw =~ m/\G($PARAMNAME)\s*=\s*/og or last;      # give up if not a param
 	$param = lc($1);
- -	$raw =~ m/\G(\"([^\"]+)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last;   # give up if no value"
+	$raw =~ m/\G(\"([^\"]*)\")|\G($ENCTOKEN)|\G($BADTOKEN)|\G($TOKEN)/g or last;   # give up if no value"
 	my ($qstr, $str, $enctoken, $badtoken, $token) = ($1, $2, $3, $4, $5);
 	if (defined($badtoken)) {
 	    # Strip leading/trailing whitespace from badtoken




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFBfv93dB1gkTPXMwsRAsrjAJ0fjmZasQ7pY/zFHHmPtPZfJm1SOQCfcYYi
oz3sasoVDlAl6Y1Wby+Ly1Q=
=J+wt
-----END PGP SIGNATURE-----


More information about the MIMEDefang mailing list