First Last Prev Next    This bug is not in your last search results.
Bug 954200 - (CVE-2015-8077) VUL-0: CVE-2015-8077: cyrus-imapd: Integer overflow in range checks
(CVE-2015-8077)
VUL-0: CVE-2015-8077: cyrus-imapd: Integer overflow in range checks
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/158571/
CVSSv2:SUSE:CVE-2015-8077:5.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-09 08:45 UTC by Sebastian Krahmer
Modified: 2016-08-01 09:04 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2015-11-09 23:00:24 UTC 
bugbot adjusting priority
Comment 3 Aeneas Jaißle 2015-11-15 17:29:48 UTC 
Created SR#344607 for openSUSE_13.2 and openSUSE_Leap_42.1 (both containing patches for cyrus-imapd 2.4).

Created SR#344608 for openSUSE_Tumleweed (containing cyrus-imapd 2.4)


Does this issue also affect cyrus-imapd 2.3?
Comment 4 Bernhard Wiedemann 2015-11-15 18:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (954200) was mentioned in
https://build.opensuse.org/request/show/344607 13.2+Leap:42.1 / cyrus-imapd.openSUSE_Leap_42.1_Update+cyrus-imapd_13.2
Comment 5 Sebastian Krahmer 2015-11-16 09:24:43 UTC 
Aeneas, so openSUSE was indeed affected because of the initial
broken fix for CVE-2015-8076 that was applied?
Comment 6 Aeneas Jaißle 2015-11-16 11:52:54 UTC 
(In reply to Sebastian Krahmer from comment #5)
> Aeneas, so openSUSE was indeed affected because of the initial
> broken fix for CVE-2015-8076 that was applied?

Yes, although I didn't test this myself. The broken fix was:
  https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921
  urlfetch: handle range starting outside message size

and was backported to 2.4 (released in 2.4.18) and 2.3 (released in 2.3.19), see
  https://cyrus.foundation/cyrus-imapd/commit/?h=cyrus-imapd-2.3&id=5222440300a2fe73a6715cf402764e40ea028153
  https://cyrus.foundation/cyrus-imapd/commit/?h=cyrus-imapd-2.4&id=56cfe0ac23445697fba2fb19474e443d9efa2d9e

In 2.3.19, we have    
    /* Sanity check the requested size */
    if (size && (offset + size > msg_size))
	n = msg_size - offset;
    else
	n = size

whereas
    unsigned long msg_size = 0;
    ...
    unsigned size, offset = 0, skip = 0;
    int n, r = 0;

,so it looks vulnerable to me.



In the distributions, we have:
  https://build.opensuse.org/package/show/openSUSE:13.1:Update/cyrus-imapd
  => 2.3.19

  https://build.opensuse.org/package/show/openSUSE:13.2:Update/cyrus-imapd
  => 2.4.18

  https://build.opensuse.org/package/show/openSUSE:Leap:42.1/cyrus-imapd
  => 2.4.18
Comment 8 Aeneas Jaißle 2015-11-20 08:40:58 UTC 
https://build.opensuse.org/request/show/345351

Patched 2.3.19 for openSUSE 13.1
Comment 9 Johannes Segitz 2015-11-20 15:10:36 UTC 
(In reply to Aeneas Jaißle from comment #3)
2.3 misses these checks completely, so yes
Comment 10 Swamp Workflow Management 2015-11-27 16:16:33 UTC 
openSUSE-SU-2015:2130-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 954200,954201
CVE References: CVE-2015-8077,CVE-2015-8078
Sources used:
openSUSE Leap 42.1 (src):    cyrus-imapd-2.4.18-3.1
openSUSE 13.2 (src):    cyrus-imapd-2.4.18-2.10.1
Comment 11 Marcus Meissner 2015-12-02 14:18:24 UTC 
also fix for sle10-sle12
Comment 12 Swamp Workflow Management 2015-12-04 14:11:39 UTC 
openSUSE-SU-2015:2200-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 954200
CVE References: CVE-2015-8077
Sources used:
openSUSE 13.1 (src):    cyrus-imapd-2.3.19-34.6.1
Comment 13 Simon Lees 2016-05-26 01:24:15 UTC 
CVE-2015-8076 was missed, now (bsc#981670) It will be simpler to create 1 patch fixing both issues here as the patches don't apply cleanly
Comment 15 Swamp Workflow Management 2016-05-30 09:17:10 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62790
Comment 16 Swamp Workflow Management 2016-05-31 20:08:02 UTC 
SUSE-SU-2016:1457-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 860611,901748,954200,954201,981670
CVE References: CVE-2014-3566,CVE-2015-8076,CVE-2015-8077,CVE-2015-8078
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    cyrus-imapd-2.3.18-37.1
SUSE Linux Enterprise Server 12 (src):    cyrus-imapd-2.3.18-37.1
Comment 17 Swamp Workflow Management 2016-06-01 10:08:21 UTC 
SUSE-SU-2016:1459-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 860611,901748,954200,954201,981670
CVE References: CVE-2014-3566,CVE-2015-8076,CVE-2015-8077,CVE-2015-8078
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    cyrus-imapd-2.3.11-60.65.67.1
SUSE Linux Enterprise Server 11-SP4 (src):    cyrus-imapd-2.3.11-60.65.67.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    cyrus-imapd-2.3.11-60.65.67.1
Comment 18 Marcus Meissner 2016-06-24 14:08:31 UTC 
released
First Last Prev Next    This bug is not in your last search results.