OpenPKG Security Advisory
OpenPKG-SA-2004.051
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2004.051 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2004.051 Advisory Published: 2009-07-05 03:54 UTC Issue Id (internal): OpenPKG-SI-20041129.01 Issue First Created: 2004-11-29 Issue Last Modified: 2006-11-28 Issue Revision: 06
Subject Name: IMAPd Subject Summary: Cyrus IMAP Server Subject Home: http://asg.web.cmu.edu/cyrus/imapd/ Subject Versions: * <= 2.2.9 Vulnerability Id: CVE-2004-1011, CVE-2004-1012, CVE-2004-1013, CVE-2004-1015 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: arbitrary code execution Description: According to a security advisory from Stefan Esser [0], several vulnerabilities exist in Cyrus imapd. The updated OpenPKG packages fix all these problems. When the option "IMAPMAGICPLUS" is activated on a server, the "PROXY" and "LOGIN" commands suffer a standard stack overflow, because the username is not checked against a maximum length. CVE-2004-1011 Due to a bug within the argument parser of the "PARTIAL" command buffer positions outside the allocated memory buffer may be accessed. CVE-2004-1012 The argument parser of the "FETCH" command suffers a similar bug. CVE-2004-1013 Under memory allocation failure conditions the "cmd_append" handler supporting "MULTIAPPENDS" may enter code paths doing post increments whose behavior is undefined in ANSI C. The same function also suffers from a integer wrap. No CVE id. Another "IMAPMAGICPLUS" overflow was later discovered by Thomas Klaeger in proxyd.c "proxyd_canon_user" function. CVE-2004-1015 Sebastian Krahmer mentioned a missing NUL-termination in global.c and provided a patch. No CVE id. References: [0] http://security.e-matters.de/advisories/152004.html [1] http://asg.web.cmu.edu/cyrus/imapd/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1011 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1012 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1013 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1015 [6] http://www.openpkg.org/tutorial.html#regular-source [7] http://www.openpkg.org/tutorial.html#regular-binary [8] ftp://ftp.openpkg.org/release/2.2/UPD/imapd-2.2.8-2.2.1.src.rpm [9] ftp://ftp.openpkg.org/release/2.1/UPD/imapd-2.2.6-2.1.1.src.rpm [10] ftp://ftp.openpkg.org/release/2.2/UPD/ [11] ftp://ftp.openpkg.org/release/2.1/UPD/ [12] http://www.openpkg.org/security.html#signature
Primary Package Name: imapd Primary Package Home: http://openpkg.org/go/package/imapd Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 2.1-SOLID imapd-2.2.6-2.1.0 OpenPKG Community 2.2-SOLID imapd-2.2.8-2.2.0 OpenPKG Community CURRENT imapd-2.2.9-20041123 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 2.1-SOLID imapd-2.2.6-2.1.1 OpenPKG Community 2.2-SOLID imapd-2.2.8-2.2.1 OpenPKG Community CURRENT imapd-2.2.10-20041124
