another buffer overflow (CAN-2004-1015)

Automatically imported from Debian bug report #284129 http://bugs.debian.org/284129

Message-ID: <email address hidden>
Date: Fri, 3 Dec 2004 16:42:13 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: another buffer overflow (CAN-2004-1015)

--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: cyrus21-imapd, cyrus-imapd
Severity: grave
Tags: security

CAN-2004-1015 described another buffer overflow in cyrus:

  Buffer overflow in proxyd for Cyrus IMAP Server 2.2.9 and earlier, with
  the imapmagicplus option enabled, may allow remote attackers to execute
  arbitrary code, a different vulnerability than CAN-2004-1011.

Upstream has released a new version, 2.2.10, to fix this one.

As far as I can tell, CAN-2004-1011 is also not fixed in Debian, though
we seem to have fixed CAN-2004-1013 and CAN-2004-1012. Here's the
description of CAN-2004-1011:

  Stack-based buffer overflow in Cyrus IMAP Server 2.2.4
  through 2.2.8, with the imapmagicplus option enabled, allows remote
  attackers to execute arbitrary code via a long (1) PROXY or (2) LOGIN
  command, a different vulnerability than CAN-2004-1015.

This one is fixed upstream in 2.2.9.

--=20
see shy jo

--dDRMvlgZJXvWKvBx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBsN21d8HHehbQuO8RAuoEAKDYBd8wr8lI7I0C7Bzomm7HHea5iQCfYlvG
GsbkvImiAQso1Uv4SlGOg80=
=fQiA
-----END PGP SIGNATURE-----

--dDRMvlgZJXvWKvBx--

Message-ID: <email address hidden>
Date: Sat, 4 Dec 2004 11:03:39 +1100
From: Matthew Palmer <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#284129: another buffer overflow (CAN-2004-1015)

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

reassign 284129 cyrus21-imapd
thanks

Having thoroughly audited the changes contained in the diffs of 2.2.8 ->
2.2.9, and 2.2.9 -> 2.2.10, I cannot find any code changes which apply to
cyrus-imapd which haven't already apparently been fixed by the security
team, and I can't see any equivalent code in cyrus-imapd which provides
equivalent functionality.

- Matt

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBsP7bBEnrTWk1E4cRApvgAJ9FKVXa5hVEUISvuotP1ZDxaTp+DgCfSTP6
SGf7wZljC+c1OfVcUXUPi18=
=JtGw
-----END PGP SIGNATURE-----

--vtzGhvizbBRQ85DL--

Message-ID: <email address hidden>
Date: Sat, 4 Dec 2004 00:05:38 -0200
From: Henrique de Moraes Holschuh <email address hidden>
To: Matthew Palmer <email address hidden>, <email address hidden>
Subject: Re: Bug#284129: another buffer overflow (CAN-2004-1015)

On Sat, 04 Dec 2004, Matthew Palmer wrote:
> Having thoroughly audited the changes contained in the diffs of 2.2.8 ->
> 2.2.9, and 2.2.9 -> 2.2.10, I cannot find any code changes which apply to
> cyrus-imapd which haven't already apparently been fixed by the security
> team, and I can't see any equivalent code in cyrus-imapd which provides
> equivalent functionality.

And CAN-2004-1015 does not apply to Cyrus IMAPd 2.1.17, since there is no
imap magic plus code in 2.1.17 (verfied with the diffs from upstream).

Closing the bug, and adding CAN-2004-1015 retroactively to changelog as
not-vulnerable...

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Hoary is fixed, but Warty is vulnerable.

(In reply to comment #3)
> And CAN-2004-1015 does not apply to Cyrus IMAPd 2.1.17, since there is no
> imap magic plus code in 2.1.17 (verfied with the diffs from upstream).
>
> Closing the bug, and adding CAN-2004-1015 retroactively to changelog as
> not-vulnerable...

Right, that was the reason why there was no Warty update.