Comment 0 for bug 10608

Package: cyrus21-imapd
Version: 2.1.16-10
Severity: critical
Tags: security patch
Justification: root security hole

Hi!

At least sarge's and sid's versions are vulnerable to above CANs and
some additional issue described in

 http://security.e-matters.de/advisories/152004.html

I fixed Ubuntu using the interdiff at

  http://patches.ubuntu.com/patches/cyrus21-imapd.CAN-2004-1012+13.diff

Please fix this as soon as possible since this is a root security
hole. Please also check whether woody is vulnerable, I did not do
this.

My changelog:

------------------- snip -----------------
 cyrus21-imapd (2.1.16-10ubuntu1) hoary; urgency=low
 .
   * SECURITY UPDATE: fix several potential buffer overflows
   * imap/imapd.c:
     - cmd_fetch(), cmd_partial(): fixed insufficient checking of the command
       string: the command "body[p"/"BODY[P" was recognized as
       "body.peek"/"BODY.PEEK" which caused an incrementation of the command
       buffer pointer beyond the allocated memory
     - fixed two incarnations of "flag[nflags++] = xstrdup(...)"; the value of
       nflags within functions called by xstrdup() is undefined and different
       gcc versions handle this differently
   * Note: this version is not vulnerable to CAN-2004-1011
   * References:
     CAN-2004-1012, CAN-2004-1013
     http://security.e-matters.de/advisories/152004.html
------------------- snip -----------------

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org