Legacy 7.3 imap-2001a-10.1 and CAN-2005-2933

Wed Oct 12 10:16:51 UTC 2005

I don't know if anyone cares about RH73 and imap-2001a anymore, but I think
this vulnerability applies to imap-2001a-10.1.legacy too:

http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false
http://www.linuxsecurity.com/content/view/120575

I took the source from
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/imap-2001a-10.1.legacy.src.rpm

and modified the mail.c patch from
http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false
to apply to 2001a.

It was just a blind patch weeding job - I didn't actually verify that
imap-2001a isn't invulnerable to this or vulnerable to something else.

I case anyone is interested, here's the modified .spec and the patch.

Just do 

  rpm -i imap-2001a-10.1.legacy.src.rpm
  cp imap.spec.patched /usr/src/redhat/SPECS/imap.spec
  cp imap-2001a-CAN-2005-2933_fix.patch /usr/src/redhat/SOURCES/
  rpm -bb /usr/src/redhat/SPECS/imap.spec



-- v -- 

v at iki.fi

-------------- next part --------------
#!/bin/bash
%define Build_7		1
%define Build_62	0

%if	%{Build_7}
%define with_xinetd	1
%endif

%if	%{Build_62}
%define with_xinetd	0
%endif

Summary: Server daemons for IMAP and POP network mail protocols.
Name: imap
Version: 2001a
# Last 6.2 release: 2000c-1.6.1, last 5.2 release: 2000c-1.5.1
Release: 10.2.legacy
Epoch: 1
License: University of Washington Free-Fork License
Group: System Environment/Daemons
URL: http://www.washington.edu/imap/

Source: imap-%{version}.tar.bz2
Source1: imap.pamd
Source2: imap.pamd.6
Source3: imap-xinetd
Source4: ipop2-xinetd
Source5: ipop3-xinetd
Source6: imaps-xinetd
Source7: pop3s-xinetd
Source8: flock.c
Source9: README.IMAPS

Patch0: imap-2001a-redhat-ssl.patch
Patch1: imap-2000-linux.patch
Patch2: imap-2000-vfs.patch
Patch3: imap-2001a-mbox-disable.patch
Patch4: imap-2000-krbpath.patch
Patch5: imap-2000c-redhat-flock.patch
Patch6: imap-2001a-overflow.patch
Patch8: imap-2001a-redhat-version.patch
Patch9: imap-2001a-boguswarning.patch
Patch10: imap-2000-time.patch
Patch11: imap-2001a-can-2003-0297.patch
Patch12: imap-2001a-CAN-2005-2933_fix.patch

Buildroot: %{_tmppath}/%{name}-%{version}-root

BuildPrereq: krb5-devel, openssl-devel
# DO NOT REMOVE THIS PAM HEADER DEPENDANCY OR FACE THE WRATH
BuildPreReq: /usr/include/security/pam_modules.h
Requires: pam >= 0.59
Conflicts: cyrus-imapd

%if %{Build_7}
Requires: %{_sysconfdir}/pam.d/system-auth
%endif

%if %{with_xinetd}
Prereq: xinetd
%endif


%description
The imap package provides server daemons for both the IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) mail access
protocols.  The POP protocol uses a "post office" machine to collect
mail for users and allows users to download their mail to their local
machine for reading. The IMAP protocol allows a user to read mail on a
remote machine without downloading it to their local machine.

Install the imap package if you need a server to support the IMAP or
the POP mail access protocols.

%package devel
Summary: Development tools for programs which will use the IMAP library.
Group: Development/Libraries

%description devel
The imap-devel package contains the header files and static libraries
for developing programs which will use the IMAP (Internet Message
Access Protocol) library.

%prep

%setup -q
chmod -R u+w .

%patch0 -p1 -b .redhat-ssl-patch

%patch1 -p1 -b .linux-patch
# FIXME: Disabled for 2001a-1 build..  unneeded now?
#%patch2 -p1 -b .vfs-patch
%patch3 -p0 -b .mbox-disable-patch

%patch4 -p1 -b .gssapi-patch

%patch5 -p1 -b .redhat-flock
%patch6 -p1 -b .overflow
%patch8 -p0 -b .redhat-version
%patch9 -p0 -b .boguswarning

# Only apply the time.h patch to 7.x errata builds
%if %{Build_7}
%patch10 -p1 -b .time-patch
%endif
%patch11 -p2 -b .can-2003-0297
%patch12 -p0 -b .CAN-2005-2933_fix

cp %{SOURCE8} src/osdep/unix/
cp %{SOURCE9} .

%build
# Set EXTRACFLAGS here instead of in imap-2000-redhat.patch (#20760)
EXTRACFLAGS="$EXTRACFLAGS -DDISABLE_POP_PROXY=1 -DIGNORE_LOCK_EACCES_ERRORS=1"
EXTRACFLAGS="$EXTRACFLAGS -I/usr/include/openssl"
EXTRACFLAGS="$EXTRACFLAGS -I/usr/kerberos/include"
EXTRALDFLAGS="$EXTRALDFLAGS -L/usr/kerberos/lib"

%ifnarch sparc
make RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC" lnp \
%else
make RPM_OPT_FLAGS="" lnp \
%endif
EXTRACFLAGS="$EXTRACFLAGS" \
EXTRALDFLAGS="$EXTRALDFLAGS" \
EXTRAAUTHENTICATORS=gss \
SSLTYPE=unix \
# This line needs to be here.

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8
install -m 644 ./src/ipopd/ipopd.8c $RPM_BUILD_ROOT%{_mandir}/man8/ipopd.8c
install -m 644 ./src/imapd/imapd.8c $RPM_BUILD_ROOT%{_mandir}/man8/imapd.8c
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
install -s -m 755 ./ipopd/ipop2d $RPM_BUILD_ROOT%{_sbindir}
install -s -m 755 ./ipopd/ipop3d $RPM_BUILD_ROOT%{_sbindir}
install -s -m 755 ./imapd/imapd $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/etc/pam.d

%if %{Build_7}
install -m 644 ${RPM_SOURCE_DIR}/imap.pamd $RPM_BUILD_ROOT/etc/pam.d/imap
install -m 644 ${RPM_SOURCE_DIR}/imap.pamd $RPM_BUILD_ROOT/etc/pam.d/pop
%else
install -m 644 ${RPM_SOURCE_DIR}/imap.pamd.6 $RPM_BUILD_ROOT/etc/pam.d/imap
install -m 644 ${RPM_SOURCE_DIR}/imap.pamd.6 $RPM_BUILD_ROOT/etc/pam.d/pop
%endif

## Install the shared lib
#install -m 755 libimap.so.%{version} $RPM_BUILD_ROOT/usr/lib
#ln -sf libimap.so.%{version} $RPM_BUILD_ROOT/usr/lib/libimap.so

mkdir -p $RPM_BUILD_ROOT%{_libdir}
install -m 644 ./c-client/c-client.a $RPM_BUILD_ROOT%{_libdir}/
ln -s c-client.a  $RPM_BUILD_ROOT%{_libdir}/libc-client.a
mkdir -p $RPM_BUILD_ROOT%{_includedir}/imap
install -m 644 ./c-client/*.h $RPM_BUILD_ROOT%{_includedir}/imap
# Added linkage.c to fix (#34658) <mharris>
install -m 644 ./c-client/linkage.c $RPM_BUILD_ROOT%{_includedir}/imap
install -m 644 ./src/osdep/tops-20/shortsym.h $RPM_BUILD_ROOT%{_includedir}/imap

%if %{with_xinetd}
#install service configuration files
mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d/
install -m644 %{SOURCE3} $RPM_BUILD_ROOT/etc/xinetd.d/imap
install -m644 %{SOURCE4} $RPM_BUILD_ROOT/etc/xinetd.d/ipop2
install -m644 %{SOURCE5} $RPM_BUILD_ROOT/etc/xinetd.d/ipop3
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/xinetd.d/imaps
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/xinetd.d/pop3s
%endif

# Generate ghost *.pem files
mkdir -p $RPM_BUILD_ROOT/%{_datadir}/ssl/certs
touch $RPM_BUILD_ROOT/%{_datadir}/ssl/certs/{imapd,ipop3d}.pem
chmod 600 $RPM_BUILD_ROOT/%{_datadir}/ssl/certs/{imapd,ipop3d}.pem

%clean
rm -rf $RPM_BUILD_ROOT

%if %{Build_7}
%post
# This was 'if with_ssl' before, but due to packaging problems with older
# releases handling the logic, I changed it to only happen in 7.x instead
# If no cert, migrate stunnel.pem, or generate a new cert
pushd %{_datadir}/ssl/certs &> /dev/null || :
for CERT in imapd.pem ipop3d.pem ;do
   if [ ! -e $CERT ];then
      if [ -e stunnel.pem ];then
         cp stunnel.pem $CERT &> /dev/null || :
      elif [ -e Makefile ];then
         make $CERT << EOF &> /dev/null || :
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
localhost.localdomain
root at localhost.localdomain
EOF
      fi
   fi
done
popd &> /dev/null || :

/sbin/service xinetd reload > /dev/null 2>&1 || :
%endif


%if %{Build_7}
%postun
/sbin/service xinetd reload > /dev/null 2>&1 || :
%endif


%files
%defattr(-,root,root)
%config /etc/pam.d/imap
%config /etc/pam.d/pop

%if %{with_xinetd}
%config(noreplace) /etc/xinetd.d/imap
%config(noreplace) /etc/xinetd.d/ipop2
%config(noreplace) /etc/xinetd.d/ipop3
# These to need to be replaced, or imaps/pop3s will fail after an upgrade
%config /etc/xinetd.d/imaps
%config /etc/xinetd.d/pop3s
%endif

%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{_datadir}/ssl/certs/imapd.pem
%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{_datadir}/ssl/certs/ipop3d.pem

%{_mandir}/man8/ipopd.8c*
%{_mandir}/man8/imapd.8c*
%attr(0755,root,root)	%{_sbindir}/ipop2d
%attr(0755,root,root)	%{_sbindir}/ipop3d
%attr(0755,root,root)	%{_sbindir}/imapd
%doc CPYRIGHT README WARNING README.IMAPS docs/RELNOTES docs/*.txt
%doc docs/CONFIG docs/SSLBUILD

%files devel
%defattr(-,root,root)
%doc docs/*
%{_includedir}/imap
#FIXME: is this c-client.a necessary?
%{_libdir}/c-client.a
%{_libdir}/libc-client.a

%changelog
* Thu Oct 12 2005 Ville Herva <vherva at vianova.fi> 2001a-10.2.legacy
- Added security patch for CAN-2005-2933

* Thu Mar  3 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 2001a-10.1.legacy
- Added security patch for CAN-2003-0297

* Wed Apr 17 2002 Mike A. Harris <mharris at redhat.com> 2001a-10
- Fixed mbox-disable patch to really disable mbox (#15833)

* Wed Apr 17 2002 Bernhard Rosenkraenzer <bero at redhat.com> 2001a-9
- Fix overflow in rfc822.c (#60818)

* Tue Feb 26 2002 Mike A. Harris <mharris at redhat.com> 2001a-8
- Updated files list, explicitly listing .pem files to attempt to quell
  rpmlint warning.

* Tue Feb 26 2002 Mike A. Harris <mharris at redhat.com> 2001a-7
- Rebuilt in new environment

* Wed Feb 13 2002 Mike A. Harris <mharris at redhat.com> 2001a-6
- Put a pam build dependancy back, since pam is used during build, it is
  required to be there.

* Sat Jan 26 2002 Florian La Roche <Florian.LaRoche at redhat.de>
- delete /lib/libpam.so BuildPreReq, it does not exist anymore

* Thu Jan 24 2002 Mike A. Harris <mharris at redhat.com> 2001a-4
- Rebuild in new environment as -3 failed for some obscure cryptic reason,
  so bumping to -4 to try again.

* Tue Nov 20 2001 Nalin Dahyabhai <nalin at redhat.com> 2001a-2
- Change SPECIALAUTHENTICATORS=ssl to SSLTYPE=unix at build time (the
  procedure changed for 2001a

* Tue Nov 20 2001 Mike A. Harris <mharris at redhat.com> 2001a-1
- Updated to imap-2001a
- Removed USERID option from all xinetd config files to fix (#56279)
- Modified all xinetd conf files to use the following log options instead
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
- Removed Build_52 target define, and with_ssl, with_ssl_cert, with_krb5
  conditionals, as they are no longer needed now because all supported releases
  currently support SSL and kerberos.
- Updated imap-2001a-redhat-ssl.patch, imap-2001a-mbox-disable.patch
- Removed imap-2000c-security.patch, and imap-2000c-morefixes.patch as they
  are now integrated in 2001a
        
* Thu Oct 11 2001 Mike A. Harris <mharris at redhat.com> 2000c-17
- Rebuilt with pam auth files for 6.2 errata (1.6.1), and 5.2 errata (1.5.1),
  and put master release in rawhide as 2000c-17, so future releases come
  from current RPM.
  
* Tue Jul 24 2001 Mike A. Harris <mharris at redhat.com> 2000c-14
- Removed conditional with_pamauth, and replaced with better solution,
  fixing bug (#49604)
- Enabled ghost cert files and cert creation for all SSL builds.
- Removed macro from release tag to allow spec release bumping.

* Sat Jul 21 2001 Mike A. Harris <mharris at redhat.com> 2000c-13
- Add bpr on pam-devel (#49501)

* Thu Jul 19 2001 Mike A. Harris <mharris at redhat.com> 2000c-12
- Enabled file ownership/ghosting of pem files. (#43400)

* Wed Jul 11 2001 Tim Powers <timp at redhat.com> 2000c-11
- rebuilt for 7.x

* Fri Jul  6 2001 Mike A. Harris <mharris at redhat.com> 2000c-10
- Rebuilt in new environment, bumped release numbers to 200c-10,
  2000c-1.6.0, 2000c-1.5.0

* Thu Jul  5 2001 Mike A. Harris <mharris at redhat.com> 2000c-9
- Fix for with_pamauth
- Built 2000c-9 for 7.x, 2000c-1.3.6x, 2000c-1.3.5x

* Wed Jun 27 2001 Mike A. Harris <mharris at redhat.com> 2000c-8
- Minor fix to wrap up post and postun in an if block to exclude them from
  6.x/5.x builds.
- Built 2000c-8 for 7.x, 2000c-1.2.6x for 6.2 and 2000c-1.2.5x for 5.2

* Sat Jun 23 2001 Mike A. Harris <mharris at redhat.com> 2000c-7
- Disabled complex ghost lines on pem files for errata as it is more of
  an enhancement that should wait for a full devel cycle of testing.
   
* Wed Jun 20 2001 Mike A. Harris <mharris at redhat.com> 2000c-6.13
- Added security fixes from Vincent Danen's imap 4.4 package. (#44321)
- Added conditional code to generate SSL certificates during post-install
- Added the SSL certificate as a ghost config file (conditionally).
- Moved xinetd reload to after end of post install script (#43400)
- ghosted ssl certificate (#43400)
- Fixed bug where imaps/pop3s would fail after an upgrade from old stunnel
  based imaps because the xinetd.d/* files were all (noreplace), so the
  new old xinetd config file still tried to use stunnel.

* Tue May 22 2001 Mike A. Harris <mharris at redhat.com> 2000c-5
- Changes to specfile to conditionalize with_pamauth, and with_xinetd,
  wrapped all relevant parts of specfile with new conditionals, and
  added Build_62, and Build_52, along with wrapper ifdef's to preset
  the various options based on the build being done.  

* Mon May 21 2001 Mike A. Harris <mharris at redhat.com> 2000c-2
- Added post script to migrate stunnel.pem to imapd.pem if the former exists
  when installing/upgrading and no imapd.pem exists already.
- Built errata candidate 2000c-2 for RHL 7.x

* Sat May 19 2001 Mike A. Harris <mharris at redhat.com> 
- Updated sources to imap-2000c fixing bug ids (20858,25976,40855,41292)
- Updated patches to work with imap-200c (ssl, flock)
- Removed unneeded sparc patch (fixed in 2000c), and patch6
- Include more documentation (*.txt, etc..) in main package
- s/Copyright:/License:/ in specfile

* Thu Apr  5 2001 Mike A. Harris <mharris at redhat.com>
- Added c-client/linkage.c to /usr/include/imap so that applications
  built with c-client will be consistent across the distribution.

* Sat Mar  3 2001 Mike A. Harris <mharris at redhat.com>
- Reintegrated my changes from Mar 1 that got lost. -8 release.

* Fri Mar  2 2001 Nalin Dahyabhai <nalin at redhat.com>
- rebuild in new environment

* Thu Mar  1 2001 Mike A. Harris <mharris at redhat.com>
- UNIX compress (.Z) sucks.  Converted to bzip2 for a 60% savings (1.1Mb)
- Removed EXTRACFLAGS changes from redhat patch to Makefile, and put
  in spec file so it propagates through the build. (#20760)
- Changed license from BSD to "University of Washington's Free-Fork License",
  as it is not in fact BSD licenced.  See file CPYRIGHT for details.
	
* Thu Feb 15 2001 Trond Eivind Glomsr?d <teg at redhat.com>
- Conflict with cyrus-imapd

* Wed Feb 14 2001 Trond Eivind Glomsr?d <teg at redhat.com>
- Make it build

* Mon Nov 20 2000 Nalin Dahyabhai <nalin at redhat.com>
- add some documentation about the SSL server-side support (#20931)

* Mon Oct 31 2000 Nalin Dahyabhai <nalin at redhat.com>
- make SSL and GSS support conditional
- mark as a modified version
- quell error messages about spool directory permissions

* Thu Oct 26 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to 2000 final release and bump epoch to upgrade RCs
- patch to get around bug in compiler on sparc

* Fri Oct 20 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to RC8

* Wed Oct 18 2000 Nalin Dahyabhai <nalin at redhat.com>
- always do a pam_setcred(DELETE) before doing a pam_end()

* Tue Oct 10 2000 Nalin Dahyabhai <nalin at redhat.com>
- switch to internal SSL support instead of using stunnel (#18727)

* Wed Oct  4 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to IMAP 2000 RC7

* Thu Aug 24 2000 Nalin Dahyabhai <nalin at redhat.com>
- update flock() emulation
- ignore dotlock errors because we're all using fcntl() locks

* Wed Aug 23 2000 Nalin Dahyabhai <nalin at redhat.com>
- modify locking to use fcntl() instead of flock() (#15779)
- add simap patches

* Wed Aug  9 2000 Nalin Dahyabhai <nalin at redhat.com>
- disable mbox in top-level makefile, too (#15833)

* Tue Aug  8 2000 Nalin Dahyabhai <nalin at redhat.com>
- rename simap to imaps and spop3 to pop3s

* Tue Jul 18 2000 Bill Nottingham <notting at redhat.com>
- add description & default to xinetd file

* Thu Jul 13 2000 Prospector <bugzilla at redhat.com>
- automatic rebuild

* Mon Jul 10 2000 Nalin Dahyabhai <nalin at redhat.com>
- disable the mbox driver, which is counter-intuitive
- add xinetd control files for imaps and pop3s for use with stunnel

* Thu Jul  6 2000 Nalin Dahyabhai <nalin at redhat.com>
- don't shut down xinetd on uninstall
- use xinetd's reload, not condrestart
- add chkconfig comments to xinetd config file
- reload xinetd even if all copies of imapd will be gone
- mark xinetd config files as noreplace

* Tue Jul  4 2000 Florian La Roche <Florian.LaRoche at redhat.com>
- change scripts

* Mon Jul  3 2000 Nalin Dahyabhai <nalin at redhat.com>
- add "Requires: xinetd" (#11837)

* Tue Jun 27 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to 4.7c2
- condrestart xinetd in post and postun

* Sat Jun 17 2000 Nalin Dahyabhai <nalin at redhat.com>
- disable by default
- FHS fixes
- add defattr to -devel subpackage
- add libc-client.a symlink to %{_libdir}

* Thu Jun  1 2000 Nalin Dahyabhai <nalin at redhat.com>
- modify PAM setup to use system-auth

* Mon May 22 2000 Trond Eivind Glomsr?d <teg at redhat.com>
- Now uses xinetd

* Wed Apr  5 2000 Bill Nottingham <notting at redhat.com>
- remove explict krb5-configs dependency

* Sun Mar 26 2000 Florian La Roche <Florian.LaRoche at redhat.com>
- change root:mail -> root:root

* Wed Mar  1 2000 Nalin Dahyabhai <nalin at redhat.com>
- make kerberos support conditional at build-time

* Wed Mar  1 2000 Bill Nottingham <notting at redhat.com>
- integrate kerberos support into main tree

* Thu Feb 03 2000 Cristian Gafton <gafton at redhat.com>
- fix group
- fix description
- man pages are compressed

* Thu Jan 13 2000 Preston Brown <pbrown at redhat.com>
- create static library in a subpackage 'devel' (#5098)

* Thu Jun 10 1999 Dale Lovelace <dale at redhat.com>
- add -fPIC option for sparc mod_php3 problems

* Fri Apr 09 1999 Cristian Gafton <gafton at redhat.com>
- ipop3d service name was changed to "pop" now. Clearly somebody that hasn't
  got a clue about PAM stuff is messing around with the source.

* Sun Mar 21 1999 Cristian Gafton <gafton at redhat.com> 
- auto rebuild in the new build environment (release 2)

* Sat Mar 13 1999 Cristian Gafton <gafton at redhat.com>
- verson 4.5
- loose the noflock patch

* Thu Dec 17 1998 Cristian Gafton <gafton at redhat.com>
- added a -vfs patch because sys/statvfs on glibc 2.1 is different from what
  is available on the sun...
- build against glibc 2.1

* Fri Sep 11 1998 Jeff Johnson <jbj at redhat.com>
- use only fcntl locking.

* Thu Sep 10 1998 Jeff Johnson <jbj at redhat.com>
- update to 4.4.
- removed g+s bit to imapd.

* Wed Jul 22 1998 Jeff Johnson <jbj at redhat.com>
- updated to 4.2.
- added g+s bit to imapd so that lock files can be created.

* Thu May 07 1998 Prospector System <bugs at redhat.com>
- translations modified for de, fr, tr

* Wed Apr 08 1998 Cristian Gafton <gafton at redhat.com>
- Updated to the latest imap as of today...

* Wed Dec 10 1997 Cristian Gafton <gafton at redhat.com>
- Updated to the latest imap as of today...
- Updated the pam patch to reflect the new directory organization

* Thu Oct 23 1997 Michael K. Johnson <johnsonm at redhat.com>
- Fix patch for new PAM spec compliance.

* Thu Oct 02 1997 Michael K. Johnson <johnsonm at redhat.com>
- Comply with change in PAM spec.
- Use a buildroot.

* Mon Mar 03 1997 Michael K. Johnson <johnsonm at redhat.com>
- Moved from pam.conf to pam.d

* Mon Mar 03 1997 Erik Troan <ewt at redhat.com>
- Fixed buffer overrun in server_login().
-------------- next part --------------
 Fixes CAN-2005-2933

 See
 http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false
 http://www.linuxsecurity.com/content/view/120575

 Modified from the mail.c patch at
 http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false

--- src/c-client/mail.c.orig	Tue Nov 13 21:29:07 2001
+++ src/c-client/mail.c	Wed Oct 12 10:28:58 2005
@@ -587,8 +587,10 @@
       if (c == '=') {		/* parse switches which take arguments */
 	if (*t == '"') {	/* quoted string? */
 	  for (v = arg,i = 0,++t; (c = *t++) != '"';) {
+	    if (!c) return NIL; /* unterminated string [CAN-2005-2933] */
 				/* quote next character */
 	    if (c == '\\') c = *t++;
+	    if (!c) return NIL; /* can't quote NUL either [CAN-2005-2933] */
 	    arg[i++] = c;
 	  }
 	  c = *t++;		/* remember delimiter for later */
