© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 12:44:19 +0100
From: Martin Schulze <email address hidden>
To: Henrique de Moraes Holschuh <email address hidden>
Cc: <email address hidden>, Martin Pitt <email address hidden>,
<email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Henrique de Moraes Holschuh wrote:
> > > On a related note, I will not pretend I even remotely understood how the
> > > flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> > > is buggy enough to think nflags++ is the same as ++nflags... On 2.1.x,
> > > xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> > > reference either. I'd appreciate if someone explained where the hole is to
> > > me.
> >
> > The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
> > and try to clean up the variable where the new memory was supposed to end
> > up.
>
> There isn't a xfzmalloc() nor a xstrfcpy() on Cyrus 2.1.16/2.1.17...
Sorry, it's xzmalloc() and xstrdup(). I wrote from memory without checking
the code again.
> > > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > > a security hole fix. Maybe this is CAN-2004-1015?
> >
> > Could that be DSA 563 alias CAN-2004-0884?
>
> No. It is related to mysasl_canon_user, and it was not in my tree yet. See
> the attached patch.
I see. I'll poke MITRE. If a CVE Id will be assigned, I'll pass it
on to you.
Regards,
Joey
--
WARNING: Do not execute! This call violates patent DE10108564.
http://
wget -O patinfo-`date +"%Y%m%d"`.html http://