Bugzilla – Bug 981670
VUL-0: CVE-2015-8076: cyrus-imapd: urlfetch range handling flaw in Cyrus
Last modified: 2016-08-01 09:05:07 UTC
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8076 The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3.19, 2.4.x before 2.4.18, 2.5.x before 2.5.4 allows remote attackers to obtain sensitive information or possibly have unspecified other impact via vectors related to the urlfetch range, which triggers an out-of-bounds heap read. http://www.openwall.com/lists/oss-security/2015/09/29/2 Date: Wed, 30 Sep 2015 11:07:28 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: urlfetch range handling flaw in Cyrus IMAP On 09/29/2015 01:01 PM, Martin Prpic wrote: > Hi, was a CVE ID assigned for the following issue? > > "Security fix: handle urlfetch range starting outside message range" > [https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html] > > Not many details seem to be available about this issue. Any pointers to > a patch that fixes this would be greatly appreciated. This looks like the relevant fix: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 This patch seems to fix an information disclosure (out of bounds heap read). The patch may be incomplete because n could become negative. I'll ask on the cyrus-devel list once my subscription request goes through. This otherwise unrelated commits might be security-relevant as well: https://cyrus.foundation/cyrus-imapd/commit/?id=d81a712401418cc0bd1daa49ded8e5bcc4b69f21 https://cyrus.foundation/cyrus-imapd/commit/?id=ff4e6c71d932b3e6bbfa67d76f095e27ff21bad0 https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b -- Florian Weimer / Red Hat Product Security
from mitre on oss-sec > "Security fix: handle urlfetch range starting outside message range" > [https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html] This was a somewhat complex situation for CVE assignment. The http://www.openwall.com/lists/oss-security/2015/09/30/3 post identified one commit associated with an upstream security-fix release, but it was later found that there were two similar commits associated with the same type of security fix in that release. The oss-security thread was extremely helpful in providing a specific URL for where upstream discussion was attempted, but the only upstream discussion occurred after the last oss-security message. Finally, there is the somewhat-common question of what to do if a Linux distributor interprets an oss-security message as an indication that a new distribution package can be safely produced by backporting one commit, rather than by packaging a new upstream version. The scope of CVE-2015-8076 is both of the June 2015 commits by the cyrus-imapd developers for preventing read operations that go beyond the size of a message, i.e., https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 and https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b (We don't know of cases where a Linux distribution backported only 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921. For example, the September updates from openSUSE state that they packaged version 2.3.19. If any Linux distributions backported only 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921, each of those distributions should now have another unique CVE for an "incomplete fix for CVE-2015-8076" problem. If we already knew that that had occurred, we may have chosen separate CVEs for the upstream 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 and c21e179c1f6b968fe69bebe079176714e511587b fixes, to simplify the overall CVE assignment work.) The original oss-security message suggested that the fixed version was 2.4.18, but actually all of these changelogs seem applicable: https://docs.cyrus.foundation/imap/release-notes/2.3/x/2.3.19.html https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html https://docs.cyrus.foundation/imap/release-notes/2.5/x/2.5.4.html The scope of CVE-2015-8077 is the discovery by Florian Weimer that there can be an integer overflow in the start_octet addition after the 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 fix. This discovery corresponds to: https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08 The scope of CVE-2015-8078 is the discovery by a cyrus-imapd developer that there can be an integer overflow in the section_offset addition after the c21e179c1f6b968fe69bebe079176714e511587b fix. This discovery corresponds to: https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 CVE-2015-8077 and CVE-2015-8078 potentially affect all released versions (see the ftp://ftp.cyrusimap.org/cyrus-imapd/ listing.) There is no CVE for the https://cyrus.foundation/cyrus-imapd/commit/?id=d81a712401418cc0bd1daa49ded8e5bcc4b69f21 buffer overflow because we don't know of a realistic case in which a privilege boundary can be crossed by an untrusted person who controls the imtest command line. There is no CVE for https://cyrus.foundation/cyrus-imapd/commit/?id=ff4e6c71d932b3e6bbfa67d76f095e27ff21bad0 because of the upstream comments in the https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2015-October/003550.html post.
bugbot adjusting priority
From bsc#954200 the patch was: https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08 As that patch doesn't apply cleanly it will be simpler to create one patch covering both issues.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-06-06. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62790
SUSE-SU-2016:1457-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 860611,901748,954200,954201,981670 CVE References: CVE-2014-3566,CVE-2015-8076,CVE-2015-8077,CVE-2015-8078 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): cyrus-imapd-2.3.18-37.1 SUSE Linux Enterprise Server 12 (src): cyrus-imapd-2.3.18-37.1
SUSE-SU-2016:1459-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 860611,901748,954200,954201,981670 CVE References: CVE-2014-3566,CVE-2015-8076,CVE-2015-8077,CVE-2015-8078 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): cyrus-imapd-2.3.11-60.65.67.1 SUSE Linux Enterprise Server 11-SP4 (src): cyrus-imapd-2.3.11-60.65.67.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): cyrus-imapd-2.3.11-60.65.67.1
released