Hi Attached you'll find the NMU patch.
Cheers Steffen
diff -u pan-0.132/debian/changelog pan-0.132/debian/changelog
--- pan-0.132/debian/changelog
+++ pan-0.132/debian/changelog
@@ -1,3 +1,12 @@
+pan (0.132-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix possible buffer overflow by clearing parts from PartsBatch
+ class (Closes: #483562)
+ Fixes: CVE-2008-2363
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Sun, 01 Jun 2008 11:55:25 +0000
+
pan (0.132-3) unstable; urgency=low
* Fix FTBFS with moved glib header. (closes: #471629)
diff -u pan-0.132/debian/patches/00list pan-0.132/debian/patches/00list
--- pan-0.132/debian/patches/00list
+++ pan-0.132/debian/patches/00list
@@ -4,0 +5 @@
+CVE-2008-2363.dpatch
only in patch2:
unchanged:
--- pan-0.132.orig/debian/patches/CVE-2008-2363.dpatch
+++ pan-0.132/debian/patches/CVE-2008-2363.dpatch
@@ -0,0 +1,95 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-2363.dpatch
+##
+## DP: Fix buffer overflow
+
[EMAIL PROTECTED]@
+--- pan-0.132.inc/pan/data/parts.cc 2007-08-01 13:00:01.000000000 -0400
++++ pan-0.132/pan/data/parts.cc 2008-05-27 22:27:03.000000000 -0400
+@@ -303,8 +303,7 @@
+ this->n_parts_total = n_parts_total;
+ this->n_parts_found = 0; // they haven't been added yet
+
+- if (n_parts_found > parts.size())
+- parts.resize (n_parts_found);
++ parts.clear();
+ }
+
+ void
+@@ -312,21 +311,10 @@
+ const StringView & mid,
+ bytes_t bytes)
+ {
+- if (n_parts_found >= parts.size())
+- parts.resize (n_parts_found+1);
+-
+- Part& p = *(&parts.front() + n_parts_found++);
+- p.number = number;
+- p.bytes = bytes;
+
+ Packer packer;
+ pack_message_id (packer, mid, reference_mid);
+- p.len_used = packer.size ();
+- if (p.len_alloced < p.len_used) {
+- delete [] p.packed_mid;
+- p.packed_mid = new char [p.len_used];
+- p.len_alloced = p.len_used;
+- }
++ Part p(number,bytes,packer.size());
+ packer.pack (p.packed_mid);
+ packed_mids_len += p.len_used;
+
+@@ -337,8 +325,9 @@
+ assert (mid == tmp);
+ #endif
+
+- if (n_parts_total < n_parts_found)
++ if (n_parts_total < ++n_parts_found)
+ n_parts_total = n_parts_found;
++ parts.push_back(p);
+ }
+
+ PartBatch :: Part&
+@@ -346,7 +335,7 @@
+ {
+ number = that.number;
+ bytes = that.bytes;
+- len_used = len_alloced = that.len_used;
++ len_used = that.len_used;
+ delete [] packed_mid;
+ packed_mid = new char [len_used];
+ memcpy (packed_mid, that.packed_mid, len_used);
+@@ -357,11 +346,17 @@
+ number (that.number),
+ bytes (that.bytes),
+ len_used (that.len_used),
+- len_alloced (that.len_used),
+ packed_mid (new char [len_used])
+ {
+ memcpy (packed_mid, that.packed_mid, len_used);
+ }
++PartBatch :: Part :: Part (number_t n, bytes_t b, size_t l):
++ number(n),
++ bytes(b),
++ len_used(l),
++ packed_mid(new char [len_used])
++{
++}
+
+ void
+ PartBatch :: sort (void)
+--- pan-0.132.inc/pan/data/parts.h 2007-08-01 13:00:01.000000000 -0400
++++ pan-0.132/pan/data/parts.h 2008-05-27 22:27:03.000000000 -0400
+@@ -141,10 +141,10 @@
+ number_t number;
+ bytes_t bytes;
+ size_t len_used;
+- size_t len_alloced;
+ char * packed_mid;
+ Part(): number(0), bytes(0),
+- len_used(0), len_alloced(0), packed_mid(0) {}
++ len_used(0), packed_mid(0) {}
++ Part(number_t n, bytes_t b, size_t l);
+ ~Part() { delete [] packed_mid; }
+ Part (const Part&);
+ Part& operator= (const Part&);
signature.asc
Description: This is a digitally signed message part.

