cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

Automatically imported from Debian bug report #282681 http://bugs.debian.org/282681

Message-ID: <email address hidden>
Date: Tue, 23 Nov 2004 20:16:44 +0100
From: Martin Pitt <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Cc: <email address hidden>
Subject: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: cyrus21-imapd
Version: 2.1.16-10
Severity: critical
Tags: security patch
Justification: root security hole

Hi!

At least sarge's and sid's versions are vulnerable to above CANs and
some additional issue described in=20

 http://security.e-matters.de/advisories/152004.html

I fixed Ubuntu using the interdiff at

  http://patches.ubuntu.com/patches/cyrus21-imapd.CAN-2004-1012+13.diff

Please fix this as soon as possible since this is a root security
hole. Please also check whether woody is vulnerable, I did not do
this.

My changelog:

------------------- snip -----------------
 cyrus21-imapd (2.1.16-10ubuntu1) hoary; urgency=3Dlow
 .
   * SECURITY UPDATE: fix several potential buffer overflows
   * imap/imapd.c:
     - cmd_fetch(), cmd_partial(): fixed insufficient checking of the comma=
nd
       string: the command "body[p"/"BODY[P" was recognized as
       "body.peek"/"BODY.PEEK" which caused an incrementation of the command
       buffer pointer beyond the allocated memory
     - fixed two incarnations of "flag[nflags++] =3D xstrdup(...)"; the val=
ue of
       nflags within functions called by xstrdup() is undefined and differe=
nt
       gcc versions handle this differently
   * Note: this version is not vulnerable to CAN-2004-1011
   * References:
     CAN-2004-1012, CAN-2004-1013
     http://security.e-matters.de/advisories/152004.html
------------------- snip -----------------

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=3Dde_DE.UTF-8, LC_CTYPE=3Dde_DE.UTF-8

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBo4ycDecnbV4Fd/IRAhx4AKCyqaPn07hbCEOKO9BvqYHIzk1zUwCfbXqv
eFQMB+8vHl0ExlVV/m/KQbM=
=Ae1D
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--

Message-ID: <email address hidden>
Date: Tue, 23 Nov 2004 17:54:14 -0200
From: Henrique de Moraes Holschuh <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

On Tue, 23 Nov 2004, Martin Pitt wrote:
> At least sarge's and sid's versions are vulnerable to above CANs and
> some additional issue described in

Yeah, I noticed. The worst is already fixed in incoming...

> hole. Please also check whether woody is vulnerable, I did not do

Woody's cyrus is a lost cause (1.5). It does not have 2.1, though.

> - fixed two incarnations of "flag[nflags++] = xstrdup(...)"; the value of
> nflags within functions called by xstrdup() is undefined and different
> gcc versions handle this differently

Drat, that one escaped me. I will upload a new fix.

Thanks for the heads'up and the for the patch.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Message-Id: <email address hidden>
Date: Tue, 23 Nov 2004 18:32:08 -0500
From: Henrique de Moraes Holschuh <email address hidden>
To: <email address hidden>
Subject: Bug#282681: fixed in cyrus21-imapd 2.1.17-1

Source: cyrus21-imapd
Source-Version: 2.1.17-1

We believe that the bug you reported is fixed in the latest version of
cyrus21-imapd, which is due to be installed in the Debian FTP archive:

cyrus21-admin_2.1.17-1_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-admin_2.1.17-1_all.deb
cyrus21-clients_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-clients_2.1.17-1_i386.deb
cyrus21-common_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-common_2.1.17-1_i386.deb
cyrus21-dev_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-dev_2.1.17-1_i386.deb
cyrus21-doc_2.1.17-1_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-doc_2.1.17-1_all.deb
cyrus21-imapd_2.1.17-1.diff.gz
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17-1.diff.gz
cyrus21-imapd_2.1.17-1.dsc
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17-1.dsc
cyrus21-imapd_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17-1_i386.deb
cyrus21-imapd_2.1.17.orig.tar.gz
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17.orig.tar.gz
cyrus21-murder_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-murder_2.1.17-1_i386.deb
cyrus21-pop3d_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-pop3d_2.1.17-1_i386.deb
libcyrus-imap-perl21_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/libcyrus-imap-perl21_2.1.17-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <email address hidden> (supplier of updated cyrus21-imapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 Nov 2004 19:19:56 -0200
Source: cyrus21-imapd
Binary: cyrus21-doc cyrus21-admin cyrus21-murder cyrus21-common cyrus21-imapd cyrus21-clients cyrus21-dev cyrus21-pop3d libcyrus-imap-perl21
Architecture: source i386 all
Version: 2.1.17-1
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <email address hidden>
Changed-By: Henrique de Moraes Holschuh <email address hidden>
Description:
 cyrus21-admin - Cyrus mail system (administration tool)
 cyrus21-clients - Cyrus mail system (test clients)
 cyrus21-common - Cyrus mail system (common files)
 cyrus21-dev - Cyrus mail system (developer files)
 cyrus21-doc - Cyrus mail system (documentation files)
 cyrus21-imapd - Cyrus mail system (IMAP support)
 cyrus21-murder - Cyrus mail system (proxies and aggregator)
 cyrus21-pop3d - Cyrus mail system (POP3 support)
 libcyrus-imap-perl21 - Interface to Cyrus imap client imclient library
Closes: 282681
Changes:
 cyrus21-imapd (2.1.17-1) unstable; urgency...

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 11:07:30 +0100
From: Martin Schulze <email address hidden>
To: Martin Pitt <email address hidden>
Cc: Debian Bug Tracking System <email address hidden>,
 <email address hidden>
Subject: Re: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

--zJNEIfy6us2B785O
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

Martin Pitt wrote:
> At least sarge's and sid's versions are vulnerable to above CANs and
> some additional issue described in

The version in woody is vulnerable to CAN-2004-1012 and CAN-2004-1013.
I plan to use the attached patch.

> http://patches.ubuntu.com/patches/cyrus21-imapd.CAN-2004-1012+13.diff
>
> Please fix this as soon as possible since this is a root security
> hole. Please also check whether woody is vulnerable, I did not do
> this.
>
> My changelog:
>
> ------------------- snip -----------------
> cyrus21-imapd (2.1.16-10ubuntu1) hoary; urgency=low
> .
> * SECURITY UPDATE: fix several potential buffer overflows
> * imap/imapd.c:
> - cmd_fetch(), cmd_partial(): fixed insufficient checking of the command
> string: the command "body[p"/"BODY[P" was recognized as
> "body.peek"/"BODY.PEEK" which caused an incrementation of the command
> buffer pointer beyond the allocated memory
> - fixed two incarnations of "flag[nflags++] = xstrdup(...)"; the value of
> nflags within functions called by xstrdup() is undefined and different
> gcc versions handle this differently
> * Note: this version is not vulnerable to CAN-2004-1011
> * References:
> CAN-2004-1012, CAN-2004-1013
> http://security.e-matters.de/advisories/152004.html
> ------------------- snip -----------------

CAN-2004-1015 missing. Not sure if the version in ubuntu or unstable is
vulnerable, though.

Henrique, please mention the respective CVE Id in the proper changelog
entry and please let me know which version in unstable fixes the problems.

Regards,

 Joey

--
WARNING: Do not execute! This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/

Please always Cc to me when replying to me on the lists.

--zJNEIfy6us2B785O
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-1012.cyrus-impad"

diff -u cyrus-imapd-1.5.19/imap/imapd.c cyrus-imapd-1.5.19/imap/imapd.c
--- cyrus-imapd-1.5.19/imap/imapd.c
+++ cyrus-imapd-1.5.19/imap/imapd.c
@@ -1530,7 +1530,7 @@
      else if (!strncmp(fetchatt.s, "BODY[", 5) ||
        !strncmp(fetchatt.s, "BODY.PEEK[", 10)) {
   p = section = fetchatt.s + 5;
- if (*p == 'P') {
+ if (!strncmp(p, "PEEK[", 5)) {
       p = section += 5;
   }
   else {
@@ -1888,7 +1888,7 @@
     else if (!strncmp(data, "body[", 5) ||
       !strncmp(data, "body.peek[", 10)) {
  p = section = data + 5;
- if (*p == 'p') {
+ if (!strncmp(p, "peek[", 5)) {
      p = section += 5;
  }
  else {
diff -u cyrus-imapd-1.5.19/debian/changelog cyrus-imapd-1.5.19/debian/changelog
--- cyrus-imapd-1.5.19/debian/changelog
+++ cyrus-ima...

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 08:41:59 -0200
From: Henrique de Moraes Holschuh <email address hidden>
To: Martin Schulze <email address hidden>, <email address hidden>
Cc: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

On Wed, 24 Nov 2004, Martin Schulze wrote:
> CAN-2004-1015 missing. Not sure if the version in ubuntu or unstable is
> vulnerable, though.

I didn't know about that one. Any references? Google is useless for things
like this, and the CVE database is totally useless for CAN references (which
is quite aggravating).

> Henrique, please mention the respective CVE Id in the proper changelog

I usually do. In this case, I did as well, although I didn't bother
repeating them on the 2.1.17-1 entry (since they are in 2.1.16-11).

On a related note, I will not pretend I even remotely understood how the
flag[nflags++] code could be a security hole *on 2.1.16*, unless something
is buggy enough to think nflags++ is the same as ++nflags... On 2.1.x,
xstrdup doesn't appear to touch flag or nflags at all, and its args don't
reference either. I'd appreciate if someone explained where the hole is to
me.

Here are the changelogs:

cyrus21-imapd (2.1.17-1) unstable; urgency=high

  * New upstream source
    * SECURITY FIX:
      Detect and avoid buffer overflow on SASL canonical processing
  * SECURITY FIX (from Ubuntu, thanks to Martin Pitt
    <email address hidden>): fixed two incarnations of "flag[nflags++]
    = xstrdup(...)"; the value of nflags within functions called by
    xstrdup() is undefined and different gcc versions handle this
    differently (closes: #282681)

 -- Henrique de Moraes Holschuh <email address hidden> Tue, 23 Nov 2004 19:19:56 -0200

cyrus21-imapd (2.1.16-11) unstable; urgency=high

  * SECURITY FIX: Exploitable remotely. Could cause root compromise.
    CAN-2004-1012, CAN-2004-1013. Backport of upstream 2.2.x fixes to
    2.1.16 by David Carter (closes: #282619)
  * Possible security fix: don't assume long lines have a null in them. from
    Philip Chambers <email address hidden>. Backported from 2.2.9
  * Change suggested DEB_BUILD_OPTIONS for debugging in README.Debian.debug
  * Add note about really meaning it when I tell people to pay attention to
    their new SASLv2 setup in UPGRADE.Debian (closes: #277072)
  * Always remove all dpkg-statusoverride entries, even if the user request
    that the spool directories not be removed (closes: #231068)

 -- Henrique de Moraes Holschuh <email address hidden> Tue, 23 Nov 2004 10:43:11 -0200

> entry and please let me know which version in unstable fixes the problems.

2.1.17-1 fixes all problems reported by e-matters GmbH on 2004-11-22. As
far as I understood things, so does 2.1.16-11. I have no idea about this
CAN-2004-1015, though. And apparently, nor does Cyrus upstream, so please
send us the references...

Note that there was a SASL buffer overflow fix on upstream CVS, for which I
had no CVE references. I have no idea if it was just a bad behaviour fix, or
a security hole fix. Maybe this is CAN-2004-1015?

--
  "One dis...

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 11:58:05 +0100
From: Martin Pitt <email address hidden>
To: Martin Schulze <email address hidden>
Cc: Debian Bug Tracking System <email address hidden>,
 <email address hidden>
Subject: Re: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Martin Schulze [2004-11-24 11:07 +0100]:
> CAN-2004-1015 missing. Not sure if the version in ubuntu or unstable is
> vulnerable, though.

No it isn't, I checked. The whole code part that contains this bug
apparently appeared not until version 2.2.

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBpGk9DecnbV4Fd/IRAmgKAJ9o0UiYO3Eq5umISbTc5FrPmIYCbACg1Rsr
sf/p1fzTL4n0SHMAqZ858lc=
=Z/zx
-----END PGP SIGNATURE-----

--82I3+IH0IqGh5yIs--

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 11:58:33 +0100
From: Martin Schulze <email address hidden>
To: Henrique de Moraes Holschuh <email address hidden>
Cc: <email address hidden>, Martin Pitt <email address hidden>,
 <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

Henrique de Moraes Holschuh wrote:
> On Wed, 24 Nov 2004, Martin Schulze wrote:
> > CAN-2004-1015 missing. Not sure if the version in ubuntu or unstable is
> > vulnerable, though.
>
> I didn't know about that one. Any references? Google is useless for things
> like this, and the CVE database is totally useless for CAN references (which
> is quite aggravating).

Both Google and CVE are usually quite helpful with this, except for the
cases where the CAN is not yet published.

The text for it is:

        "Proxyd.c contains a IMAPMAGICPLUS overflow in its
        proxyd_canon_user function fixed in 2.2.10."

> he noticed that the patch to 2.2.9 is incomplete. Proxyd.c contains
> the same IMAPMAGICPLUS overflow in its proxyd_canon_user function.

This is fixed in 2.2.10 now.

> On a related note, I will not pretend I even remotely understood how the
> flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> is buggy enough to think nflags++ is the same as ++nflags... On 2.1.x,
> xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> reference either. I'd appreciate if someone explained where the hole is to
> me.

The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
and try to clean up the variable where the new memory was supposed to end
up.

> 2.1.17-1 fixes all problems reported by e-matters GmbH on 2004-11-22. As
> far as I understood things, so does 2.1.16-11. I have no idea about this
> CAN-2004-1015, though. And apparently, nor does Cyrus upstream, so please
> send us the references...

It came from Cyrus upstream and went into 2.2.10.

> Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> had no CVE references. I have no idea if it was just a bad behaviour fix, or
> a security hole fix. Maybe this is CAN-2004-1015?

Could that be DSA 563 alias CAN-2004-0884?

Regards,

 Joey

--
WARNING: Do not execute! This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 09:31:44 -0200
From: Henrique de Moraes Holschuh <email address hidden>
To: Martin Schulze <email address hidden>
Cc: <email address hidden>, Martin Pitt <email address hidden>,
 <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, 24 Nov 2004, Martin Schulze wrote:
> Both Google and CVE are usually quite helpful with this, except for the
> cases where the CAN is not yet published.

Which is exactly when I need them, to track down the references and fix the
packages. Well, as long as people tell me the CAN number and a reference to
what the bug is in the first place...

> > On a related note, I will not pretend I even remotely understood how the
> > flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> > is buggy enough to think nflags++ is the same as ++nflags... On 2.1.x,
> > xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> > reference either. I'd appreciate if someone explained where the hole is to
> > me.
>
> The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
> and try to clean up the variable where the new memory was supposed to end
> up.

There isn't a xfzmalloc() nor a xstrfcpy() on Cyrus 2.1.16/2.1.17...

> > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > a security hole fix. Maybe this is CAN-2004-1015?
>
> Could that be DSA 563 alias CAN-2004-0884?

No. It is related to mysasl_canon_user, and it was not in my tree yet. See
the attached patch.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=foo

Index: imap/config.c
===================================================================
RCS file: /home/cvs/debian/cyrus21-imapd/imap/config.c,v
retrieving revision 1.1.1.10
retrieving revision 1.1.1.11
diff -u -r1.1.1.10 -r1.1.1.11
--- imap/config.c 14 Apr 2003 20:31:36 -0000 1.1.1.10
+++ imap/config.c 23 Nov 2004 19:12:45 -0000 1.1.1.11
@@ -39,7 +39,7 @@
  *
  */

-/* $Id: config.c,v 1.66 2003/04/14 20:31:36 rjs3 Exp $ */
+/* $Id: config.c,v 1.66.2.1 2004/11/23 19:12:45 shadow Exp $ */

 #include <config.h>

@@ -410,12 +410,12 @@
  return SASL_BADAUTH;
     }
     *out_ulen = strlen(canonuser);
- if(*out_ulen > out_max) {
+ if(*out_ulen >= out_max) {
  sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
  return SASL_BUFOVER;
     }

- strncpy(out, canonuser, out_max);
+ strcpy(out, canonuser);

     return SASL_OK;
 }
@@ -590,12 +590,12 @@
   return SASL_BADAUTH;
     }
     *out_ulen = strlen(canon_requser);
- if(*out_ulen > out_max) {
+ if(*out_ulen >= out_max) {
  sasl_seterror(conn, 0, "buffer overflow while canonical...

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 12:44:19 +0100
From: Martin Schulze <email address hidden>
To: Henrique de Moraes Holschuh <email address hidden>
Cc: <email address hidden>, Martin Pitt <email address hidden>,
 <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

Henrique de Moraes Holschuh wrote:
> > > On a related note, I will not pretend I even remotely understood how the
> > > flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> > > is buggy enough to think nflags++ is the same as ++nflags... On 2.1.x,
> > > xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> > > reference either. I'd appreciate if someone explained where the hole is to
> > > me.
> >
> > The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
> > and try to clean up the variable where the new memory was supposed to end
> > up.
>
> There isn't a xfzmalloc() nor a xstrfcpy() on Cyrus 2.1.16/2.1.17...

Sorry, it's xzmalloc() and xstrdup(). I wrote from memory without checking
the code again.

> > > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > > a security hole fix. Maybe this is CAN-2004-1015?
> >
> > Could that be DSA 563 alias CAN-2004-0884?
>
> No. It is related to mysasl_canon_user, and it was not in my tree yet. See
> the attached patch.

I see. I'll poke MITRE. If a CVE Id will be assigned, I'll pass it
on to you.

Regards,

 Joey

--
WARNING: Do not execute! This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/

Martin, please watch for these bugs coming into bugzilla and deal with them
appropriately

Was already fixed in -10ubuntu1. Fixed in Debian as well, I asked for syncing.

Message-ID: <email address hidden>
Date: Mon, 29 Nov 2004 19:50:17 +0100
From: Martin Schulze <email address hidden>
To: Henrique de Moraes Holschuh <email address hidden>
Cc: <email address hidden>, Martin Pitt <email address hidden>,
 <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

Henrique de Moraes Holschuh wrote:
> > > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > > a security hole fix. Maybe this is CAN-2004-1015?
> >
> > Could that be DSA 563 alias CAN-2004-0884?
>
> No. It is related to mysasl_canon_user, and it was not in my tree yet. See
> the attached patch.

Please use CAN-2004-1067 for the new SASL bug. Please add this id to
the proper changelog entry with the next upload.

Am I right that it doesn't affect woody?

Regards,

 Joey

--
Everybody talks about it, but nobody does anything about it! -- Mark Twain

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 02:38:47 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge

reopen 282681
tags 282681 +sarge
thanks

Message-ID: <email address hidden>
Date: Wed, 5 Jan 2005 02:37:33 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fixed packages reach testing today

--z4+8/lEcDcG5Ke9S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

# libxml-libxml-perl
tags 277469 -sarge
tags 277469 +fixed

# cyrus21-imapd
tags 282681 -sarge
close 282681
thanks

--=20
Steve Langasek
postmodern programmer

--z4+8/lEcDcG5Ke9S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB28NsKN6ufymYLloRApTAAJ9kbYaYCnm/NLdo+jtxTLX/LK2cXgCcClYj
Q6ajgHSGFKblHc+v3Eb7N24=
=3ojO
-----END PGP SIGNATURE-----

--z4+8/lEcDcG5Ke9S--