|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-1013: cyrus-imapd multiple remote vulnerabilites | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Critical | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-1013: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
imapd-bugdemo.tgz
my patch proposal for 2.2.8 New patch, obsoleting old one the patch upstream is using patchinfo-file box patchinfo for maintained New patch fixing same bugs which shoed also up in proxyd.c |
||
|
Description
Marcus Meissner
2004-11-12 21:37:49 UTC
<!-- SBZ_reproduce --> see attachment Here are some CVE names. Please can you let the Cyrus folks know, with
issues that are this serious it's worth trying to get upstream to use the
CVE names too.
Because of the different affected versions this needs three names
> [01 - Cyrus IMAP Server - IMAPMAGICPLUS preauthentification overflow]
CAN-2004-1011
> [02 - Cyrus IMAP Server - PARTIAL out of bounds memory corruption]
CAN-2004-1012
> [03 - Cyrus IMAP Server - FETCH out of bounds memory corruption]
CAN-2004-1013
CRD origiunally 24.11.2004, but most likely will be released next week by cyrus-imapd team. No patches yet, inquiring... Created attachment 26056 [details]
imapd-bugdemo.tgz
Created attachment 26089 [details]
my patch proposal for 2.2.8
Please comment
Created attachment 26093 [details]
New patch, obsoleting old one
...
from readme in imapd-bugdemo.tgz:
- cmd_fetch.output - this is the return value on a test server
clearly the OK line after the 2nd BAD line
is wrong. Without the bug OK line would be
like the 1st BAD line
where this is the content of cmd_fetch.output:
* OK XXXXX Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-10 server ready
0 OK Anonymous access granted
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)]
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1099606002]
* OK [UIDNEXT 1]
0 OK [READ-WRITE] Completed
0 BAD Invalid body section
0 BAD Invalid Fetch attribute BODY.P11111111111111]
0 NO No matching messages
* BYE LOGOUT received
0 OK Completed
So what OK line after the 2nd BAD line might be talked about???
Or is that a typo and the "NO" line after the 2nd BAD line is meant?
packages submittet Created attachment 26228 [details]
the patch upstream is using
This exactly the patch we sent to the maintainmers, except they
handle oversized packets by a 'return' rather thsn truncating.
Could you please go ahead with the build and apply the patches to the other
versions too?
Created attachment 26239 [details]
patchinfo-file box
...
Created attachment 26240 [details]
patchinfo for maintained
...
Ok, so everything should be in place. Could you please tell suse-dist? I thought SWAMP would do this automatically but anyway. is public now. Created attachment 26347 [details]
New patch fixing same bugs which shoed also up in proxyd.c
...
Could you please submit new sources? We got reports via vendor-sec that the same bug was contained in proxyd.c. I attached new fix, and also sent it to vendor-sec to see what they say. Patchinfos are the same except you need to add a newline or a space somewhere for the md5 sum. Should I reject the patchinfo? Markus just told me about this additional patch (I didn't see it, as I was not in CC) Okay, submitted 9.2 and SLES9 versions: /work/src/done/9.2/cyrus-imapd /work/src/done/SLES9/cyrus-imapd the older versions do not have support for IMAPMAGICPLUS and/or do not have imap/global.c Please also not forget to add this documentation to the SLES9 version of the cyrus-imapd update: ----------------------------------------------------------------------------- Fixes for the sieve vacation functionality. Existing sieve scripts must be recompiled when installing this update, e.g. using the tool masssievec. These commands can be used to do that: find /var/lib/sieve -name "*.bc" | xargs rm -v su - cyrus -c '/usr/share/doc/packages/cyrus-imapd/tools/masssievec \ /usr/lib/cyrus/bin/sievec' It is recommended to make a backup of /var/lib/sieve, first. Ok, so everything should be in place, yet I dont see it on patch-status. Could you please inform suse-dist? (I am submitting patchinfo files right now). For the non-security docs, this is something the documenters need to know. Patchinfos submitted. Ah, I see the SLES cyrus on patchstatus, but I think you need to re-submit the 8.1, 8.2 and so on since it has been rejected because of the missing fix for the 9.2. Patchinfo is there, you can also use the same fix. Sorry for the mess. resubmit the package without changes to /work/src/done??? please leave everything as-is, all is fine , patchinfos are complete and in QA already... packages approved. advisory will be released tomorrow. CVE-2004-1013: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |