Mercurial > hg > xemacs-beta

--- a/lib-src/ChangeLog	Sun Feb 13 22:51:33 2005 +0000
+++ b/lib-src/ChangeLog	Mon Feb 14 03:40:45 2005 +0000
@@ -1,3 +1,9 @@
+2005-01-29  Vin Shelton  <acs@xemacs.org>
+
+	* movemail.c (popmail): Pass error string as format parameter
+	instead of as part of format string. Security fixes for
+	CAN-2005-0100.
+
 2005-02-03  Jerry James  <james@xemacs.org>

 	* etags.c: Update to author version 17.11.
--- a/lib-src/movemail.c	Sun Feb 13 22:51:33 2005 +0000
+++ b/lib-src/movemail.c	Mon Feb 14 03:40:45 2005 +0000
@@ -746,14 +746,14 @@
   server = pop_open (0, user, password, POP_NO_GETPASS);
   if (! server)
     {
-      error (pop_error, NULL, NULL);
+      error ("%s", pop_error, NULL);
       return (1);
     }

   VERBOSE(("stat'ing messages\n"));
   if (pop_stat (server, &nmsgs, &nbytes))
     {
-      error (pop_error, NULL, NULL);
+      error ("%s", pop_error, NULL);
       return (1);
     }

@@ -801,7 +801,7 @@
           mbx_delimit_begin (mbf);
 	  if (pop_retr (server, i, mbx_write, mbf) != POP_RETRIEVED)
 	    {
-	      error (Errmsg, NULL, NULL);
+	      error ("%s", Errmsg, NULL);
 	      close (mbfi);
 	      return (1);
 	    }
@@ -849,7 +849,7 @@
 	      VERBOSE(("deleting message %d     \n", i));
 	      if (pop_delete (server, i))
 		{
-		  error (pop_error, NULL, NULL);
+		  error ("%s", pop_error, NULL);
 		  pop_close (server);
 		  return (1);
 		}
@@ -860,7 +860,7 @@
   VERBOSE(("closing server             \n"));
   if (pop_quit (server))
     {
-      error (pop_error, NULL, NULL);
+      error ("%s", pop_error, NULL);
       return (1);
     }