Ubuntu
cyrus21-imapd package

  1. Bug #10608
  2. Comment #17

Comment 17 for bug 10608

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 24 Nov 2004 09:31:44 -0200
From: Henrique de Moraes Holschuh <email address hidden>
To: Martin Schulze <email address hidden>
Cc: <email address hidden>, Martin Pitt <email address hidden>,
 <email address hidden>
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, 24 Nov 2004, Martin Schulze wrote:
> Both Google and CVE are usually quite helpful with this, except for the
> cases where the CAN is not yet published.

Which is exactly when I need them, to track down the references and fix the
packages. Well, as long as people tell me the CAN number and a reference to
what the bug is in the first place...

> > On a related note, I will not pretend I even remotely understood how the
> > flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> > is buggy enough to think nflags++ is the same as ++nflags... On 2.1.x,
> > xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> > reference either. I'd appreciate if someone explained where the hole is to
> > me.
>
> The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
> and try to clean up the variable where the new memory was supposed to end
> up.

There isn't a xfzmalloc() nor a xstrfcpy() on Cyrus 2.1.16/2.1.17...

> > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > a security hole fix. Maybe this is CAN-2004-1015?
>
> Could that be DSA 563 alias CAN-2004-0884?

No. It is related to mysasl_canon_user, and it was not in my tree yet. See
the attached patch.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=foo

Index: imap/config.c
===================================================================
RCS file: /home/cvs/debian/cyrus21-imapd/imap/config.c,v
retrieving revision 1.1.1.10
retrieving revision 1.1.1.11
diff -u -r1.1.1.10 -r1.1.1.11
--- imap/config.c 14 Apr 2003 20:31:36 -0000 1.1.1.10
+++ imap/config.c 23 Nov 2004 19:12:45 -0000 1.1.1.11
@@ -39,7 +39,7 @@
  *
  */

-/* $Id: config.c,v 1.66 2003/04/14 20:31:36 rjs3 Exp $ */
+/* $Id: config.c,v 1.66.2.1 2004/11/23 19:12:45 shadow Exp $ */

 #include <config.h>

@@ -410,12 +410,12 @@
  return SASL_BADAUTH;
     }
     *out_ulen = strlen(canonuser);
- if(*out_ulen > out_max) {
+ if(*out_ulen >= out_max) {
  sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
  return SASL_BUFOVER;
     }

- strncpy(out, canonuser, out_max);
+ strcpy(out, canonuser);

     return SASL_OK;
 }
@@ -590,12 +590,12 @@
   return SASL_BADAUTH;
     }
     *out_ulen = strlen(canon_requser);
- if(*out_ulen > out_max) {
+ if(*out_ulen >= out_max) {
  sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
  return SASL_BUFOVER;
     }

- strncpy(out_user, canon_requser, out_max);
+ strcpy(out_user, canon_requser);

     return SASL_OK;
 }

--Fba/0zbH8Xs+Fj9o--