Bug 981670 - (CVE-2015-8076) VUL-0: CVE-2015-8076: cyrus-imapd: urlfetch range handling flaw in Cyrus
VUL-0: CVE-2015-8076: cyrus-imapd: urlfetch range handling flaw in Cyrus
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-05-25 15:22 UTC by Marcus Meissner
Modified: 2016-08-01 09:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-05-25 15:22:51 UTC

The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3.19, 2.4.x before 2.4.18, 2.5.x before 2.5.4 allows remote attackers to obtain sensitive information or possibly have unspecified other impact via vectors related to the urlfetch range, which triggers an out-of-bounds heap read. 


Date: Wed, 30 Sep 2015 11:07:28 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: urlfetch range handling flaw in Cyrus

On 09/29/2015 01:01 PM, Martin Prpic wrote:
> Hi, was a CVE ID assigned for the following issue?
> "Security fix: handle urlfetch range starting outside message range"
> [https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html]
> Not many details seem to be available about this issue. Any pointers to
> a patch that fixes this would be greatly appreciated.

This looks like the relevant fix:


This patch seems to fix an information disclosure (out of bounds heap read).

The patch may be incomplete because n could become negative.  I'll ask
on the cyrus-devel list once my subscription request goes through.

This otherwise unrelated commits might be security-relevant as well:


Florian Weimer / Red Hat Product Security
Comment 1 Marcus Meissner 2016-05-25 15:23:27 UTC
from mitre on oss-sec

> "Security fix: handle urlfetch range starting outside message range"
> [https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html]

This was a somewhat complex situation for CVE assignment. The
http://www.openwall.com/lists/oss-security/2015/09/30/3 post
identified one commit associated with an upstream security-fix
release, but it was later found that there were two similar commits
associated with the same type of security fix in that release. The
oss-security thread was extremely helpful in providing a specific URL
for where upstream discussion was attempted, but the only upstream
discussion occurred after the last oss-security message. Finally,
there is the somewhat-common question of what to do if a Linux
distributor interprets an oss-security message as an indication that a
new distribution package can be safely produced by backporting one
commit, rather than by packaging a new upstream version.

The scope of CVE-2015-8076 is both of the June 2015 commits by the
cyrus-imapd developers for preventing read operations that go beyond
the size of a message, i.e.,




(We don't know of cases where a Linux distribution backported only
07de4ff1bf2fa340b9d77b8e7de8d43d47a33921. For example, the September
updates from openSUSE state that they packaged version 2.3.19. If any
Linux distributions backported only
07de4ff1bf2fa340b9d77b8e7de8d43d47a33921, each of those distributions
should now have another unique CVE for an "incomplete fix for
CVE-2015-8076" problem. If we already knew that that had occurred, we
may have chosen separate CVEs for the upstream
07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 and
c21e179c1f6b968fe69bebe079176714e511587b fixes, to simplify the
overall CVE assignment work.)

The original oss-security message suggested that the fixed version was
2.4.18, but actually all of these changelogs seem applicable:


The scope of CVE-2015-8077 is the discovery by Florian Weimer that
there can be an integer overflow in the start_octet addition after the
07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 fix. This discovery
corresponds to:


The scope of CVE-2015-8078 is the discovery by a cyrus-imapd developer
that there can be an integer overflow in the section_offset addition
after the c21e179c1f6b968fe69bebe079176714e511587b fix. This discovery
corresponds to:


CVE-2015-8077 and CVE-2015-8078 potentially affect all released
versions (see the ftp://ftp.cyrusimap.org/cyrus-imapd/ listing.)

There is no CVE for the
buffer overflow because we don't know of a realistic case in which a
privilege boundary can be crossed by an untrusted person who controls
the imtest command line.

There is no CVE for
because of the upstream comments in the
Comment 2 Swamp Workflow Management 2016-05-25 22:01:13 UTC
bugbot adjusting priority
Comment 3 Simon Lees 2016-05-26 01:22:42 UTC
From bsc#954200 the patch was: https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08

As that patch doesn't apply cleanly it will be simpler to create one patch covering both issues.
Comment 5 Swamp Workflow Management 2016-05-30 09:17:45 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-06.
When done, reassign the bug to security-team@suse.de.
Comment 6 Swamp Workflow Management 2016-05-31 20:08:21 UTC
SUSE-SU-2016:1457-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 860611,901748,954200,954201,981670
CVE References: CVE-2014-3566,CVE-2015-8076,CVE-2015-8077,CVE-2015-8078
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    cyrus-imapd-2.3.18-37.1
SUSE Linux Enterprise Server 12 (src):    cyrus-imapd-2.3.18-37.1
Comment 7 Swamp Workflow Management 2016-06-01 10:08:40 UTC
SUSE-SU-2016:1459-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 860611,901748,954200,954201,981670
CVE References: CVE-2014-3566,CVE-2015-8076,CVE-2015-8077,CVE-2015-8078
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    cyrus-imapd-2.3.11-
SUSE Linux Enterprise Server 11-SP4 (src):    cyrus-imapd-2.3.11-
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    cyrus-imapd-2.3.11-
Comment 8 Marcus Meissner 2016-06-24 14:08:19 UTC