Bug 65795 (CVE-2005-0546)

Summary: VUL-0: CVE-2005-0546: cyrus-imapd: bugfix release
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Carsten Hoeger <choeger>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0546: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo.cyrus-imapd
patchinfo-box.cyrus-imapd

Description Thomas Biege 2005-02-14 17:21:58 UTC 
... and here it is. 
 
From: Derrick J Brashear <shadow@andrew.cmu.edu> 
Subject: Cyrus IMAPd 2.2.11 Released 
To: info-cyrus@andrew.cmu.edu, post+comp.mail.imap@andrew.cmu.edu 
Date: Mon, 14 Feb 2005 02:14:44 -0500 (EST) 
X-SpamAssassin-Clean: 0 (none) 
X-Spam-Clean: 7% (__CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, 
__MIME_VERSION 0, __SANE_MSGID 0) 
X-Spam-Status: No, hits=-1.5 tagged_above=-20.0 required=5.0 
tests=BAYES_01 
X-Spam-Level: 
 
I'm pleased to announce the release of Cyrus IMAPd 2.2.11.  This release 
implements several bugfixes, including one byte buffer overruns in the 
imap annotate extension and in cached header handling which can be run 
by 
any authenticated user, and bounds checking in fetchnews which could be 
exploited by a peer news admin. 
 
It contains no new features. 
 
A full list of changes is available in doc/changes.html in the 
distribution. 
 
Download the release at: 
ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz 
or 
http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz 
 
Thanks to Sean Larsson for the reports on the buffer overflows. 
 
Derrick Brashear 
---
Comment 1 Thomas Biege 2005-02-14 17:21:58 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Carsten Hoeger 2005-02-14 18:12:53 UTC 
Btw.: This bug also applies to ALL older maintained releases of SuSE.*Linux
Comment 3 Thomas Biege 2005-02-14 21:44:36 UTC 
 SM-Tracker-382
Comment 4 Thomas Biege 2005-02-14 21:57:53 UTC 
Created attachment 28462 [details]
patchinfo.cyrus-imapd
Comment 5 Thomas Biege 2005-02-14 21:58:12 UTC 
Created attachment 28463 [details]
patchinfo-box.cyrus-imapd
Comment 6 Thomas Biege 2005-02-14 21:58:40 UTC 
please proff-read the patchinfo files before you submit them. thanks.
Comment 7 Marcus Meissner 2005-02-21 08:59:58 UTC 
Hello folks, 
 
We recently received a report that Sean Larsson 
(infamous42md@hotpop.com) has discovered several potential 
vulnerabilities in the Cyrus IMAP server.  Sean's advisory can be 
found at the following location: 
 
<http://www.infsec.net/cyrus_advisory.txt.gz> 
 
We are currently tracking these issues as follows: 
 
VU#209713 - Cyrus imapd contains buffer overflow in fetchnews component 
VU#822113 - Cyrus imapd contains buffer overflow in cmd_xfer() 
VU#246593 - Cyrus imapd contains buffer overflow in backend_connect() 
VU#674801 - Cyrus imapd contains buffer overflow in mailbox_cached_header() 
 
The Cyrus Project has also recently announced updated versions of the 
software containing patches for these issues:
Comment 8 Marcus Meissner 2005-02-21 09:00:40 UTC 
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33724 
 
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33733 
 
Since these issues are already publicly known and patches are 
available, we encourage you to incorporate fixes appropriately.  We 
currently do not have any schedule for publication of vulnerability 
notes, but please feel free to send us updates, statements, or 
advisories as you develop them and we will incorporate them into the 
future notes. 
 
If you have any questions or concerns, please don't hesitate to 
contact us. 
 
Best Regards, 
 
Chad 
 
-- 
Chad Dougherty 
Internet Security Analyst    
__________________________________________________________ 
CERT(R) Coordination Center    |             cert@cert.org
Comment 9 Thomas Biege 2005-02-24 11:01:56 UTC 
Choeger, 
are you already working on updates?
Comment 10 Carsten Hoeger 2005-02-24 11:16:34 UTC 
Yes.
QA (Heiko) is already testing...
Comment 11 Thomas Biege 2005-02-24 19:39:36 UTC 
ok :)
Comment 12 Marcus Meissner 2005-02-25 08:20:28 UTC 
updates and advisory released
Comment 13 Marcus Meissner 2005-02-25 10:08:03 UTC 
dfn-cert spotted a CAN we fixed with this update (annotate_obo.patch):  
  
CAN-2004-1067 - Off-by-one Fehler in mysasl_canon_user() 
 
  ein Off-by-one Fehler in der Funktion mysasl_canon_user() kann dazu 
  ausgenutzt werden, einen Buffer Overflow auszuloesen. Angreifer 
  koennen diese Schwachstelle ueber das Netz dazu ausnutzen, beliebigen 
  Code mit den Privilegien des IMAP-Servers auszufuehren, indem sie bei 
  der SASL-Authentifikation einen entsprechend aufgebauten Usernamen 
  angeben. 
 
This was already known in december.
Comment 15 Ludwig Nussel 2005-04-06 08:00:42 UTC 
need to confirm the can number
Comment 16 Ludwig Nussel 2005-04-06 08:02:20 UTC 
Carsten do the patches you applied fully fix CAN-2005-0546?
Comment 17 Carsten Hoeger 2005-04-07 11:27:17 UTC 
yes
Comment 18 Ludwig Nussel 2005-04-07 11:28:40 UTC 
ok, thanks
Comment 19 Thomas Biege 2009-10-13 21:06:00 UTC 
CVE-2005-0546: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)