Ubuntu
cyrus-imapd-2.2 package

Please, fix buffer overflow vulnerability in SIEVE

Bug #438363 reported by Anderson on 2009-09-28

266

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	cyrus-imapd-2.2 (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: cyrus-imapd-2.2

From: http://www.debian.org/security/2009/dsa-1893

"It was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the
system."

Can the fix be applied to Ubuntu's Cyrus packages also?

I'm attaching the patch used in cyrus-imapd-2.2=2.2.13-14+lenny3 from Debian.

CVE References

Revision history for this message

Anderson (amg1127) wrote on 2009-09-28:

#1

Patch found in Debian cyrus-imapd-2.2=2.2.13-14+lenny3 Edit (4.8 KiB, text/plain)

Revision history for this message

Kees Cook (kees) wrote on 2009-09-30:

#2

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility:	private → public
Changed in cyrus-imapd-2.2 (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Anderson (amg1127) wrote on 2009-10-01:

#3

Unfortunately, I'm able to make a debdiff for Cyrus Jaunty's packages only.

I don't have a testing environment for dapper, hardy, intrepid and karmic packages.

Revision history for this message

Brian Thomason (brian-thomason) wrote on 2010-07-02:

#4

Jaunty debdiff Edit (6.3 KiB, text/plain)

Revision history for this message

Artur Rona (ari-tczew) wrote on 2010-07-05:

#5

Brian, please replenish your patch with more informations. Follow with https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-07-06:

#6

ACK for jaunty. Thanks Brian!

Artur, while I agree DEP-3 is preferred, Brian took the patch straight from Debian and as such, we can accept it as it. Brian gave proper attribution.

Jamie Strandboge (jdstrand) on 2010-07-06

Changed in cyrus-imapd-2.2 (Ubuntu):
status:	Confirmed → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-07-07:

#7

cyrus-imapd-2.2 (2.2.13-14ubuntu3.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Fix potential buffer overflows
  - debian/patches/0024-upstream-fix-sieve.dpatch: Use snprintf to avoid buffer
    overruns. Also fix for a buffer overflow in SIEVE filtering allowing for
    privilege escalation.
    Patch provided by Debian.
  - CVE-2009-3235
  - CVE-2009-2632

Changed in cyrus-imapd-2.2 (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.