Bug 149869

Summary: CAN-2005-0546 multiple buffer overflows in cyrus-imapd
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: cyrus-imapdAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20050214
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-17 14:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-02-28 15:04:07 UTC 
Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to
execute arbitrary code via (1) an off-by-one error in the imapd annotate
extension, (2) an off-by-one error in "cached header handling," (3) a
stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow
in imapd.


* Fix possible single byte overflow in mailbox handling code. 
* Fix possible single byte overflows in the imapd annotate extension. 
* Fix stack buffer overflows in fetchnews (exploitable by peer news
  server), backend (exploitable by admin), and in imapd (exploitable
  by users though only on platforms where a filename may be larger
  than a mailbox name).
Comment 1 Josh Bressers 2005-02-28 15:06:30 UTC 
The upstream announcement is here:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33723
Comment 2 John Dennis 2005-04-04 23:07:25 UTC 
O.K. version 2.2.12 is in CVS and built. Please note version 2.2.11 referenced
in above annoucement was superceded in hours by 2.2.12 without any statement I
could find as to why, I can only assume because 2.2.11 needed a minor fix, thus
I've upgraded to 2.2.12.

Tomorrow I will do the eratta component of this bug.
Comment 3 John Dennis 2005-04-23 20:46:03 UTC 
errata RHSA-2005:408 generated
Comment 4 John Dennis 2005-04-23 21:08:04 UTC 
version 2.2.12.RHEL4.1 created and entered into errata
Comment 6 Mark J. Cox 2005-04-28 10:47:16 UTC 
modified until pushed.
Comment 7 Josh Bressers 2005-05-17 14:25:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-408.html