|Summary:||CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||jdennis, kreilly, rdieter|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-02-19 18:44:01 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||469415, 469522, 469523, 483255|
Description Tomas Hoger 2008-11-03 12:11:43 UTC
UW-IMAP upstream developers released new upstream version - 2007d - that fixes security issue in dmail and tmail utilities. Upstream announcement fails to detail those issue further. References: http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002267.html http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002268.html
Comment 1 Tomas Hoger 2008-11-03 12:15:17 UTC
uw-imap as shipped with Fedora and EPEL was rebased to upstream version 2007d, updates should appear in stable repositories on the next push runs. uw-imap is also shipped in Red Hat Enterprise Linux 2.1 and 3 (imap package). Only Red Hat Enterprise Linux 3 offers imap-utils subpackage with tmail and dmail utilities.
Comment 2 Tomas Hoger 2008-11-03 12:16:46 UTC
Created attachment 322296 [details] dmail 2007b -> 2007d diff Fixes unbound strcpy to stack-based buffer.
Comment 3 Tomas Hoger 2008-11-03 12:17:50 UTC
Created attachment 322297 [details] tmail 2007b -> 2007d diff Similar change to dmail change.
Comment 4 Tomas Hoger 2008-11-03 13:41:00 UTC
Further details from Pawel Salek: It's a classical stack overflow that can be triggered by passing +VERYLONGSTRING as the argument to [dt]mail. The program attempts to copy the string to a temporary buffer without checking its length. This is only root exploit if the program is suid root. It is a remote exploit if the smtp delivery program passes the argument to tmail longer than 1024 characters (eg via $u variable in define(`LOCAL_MAILER_ARGS', `tmail $u')dnl
Comment 5 Tomas Hoger 2008-11-03 13:48:54 UTC
RFC 5321 defines that maximum length of the local part of the email address is 64 characters , but longer local parts seem to be accepted by MTAs.  http://tools.ietf.org/html/rfc5321#section-184.108.40.206.1 Sendmail restricts total length of the recipient email address to 255 characters, while buffer being overflow in [dt]mail has capacity for 1024 characters. That seems to be the restriction mentioned in the upstream announcement that is preventing remote exploitation of the flaw. However, Postfix is bit more permissive in this regard and it may be possible to trigger this issue if Postfix is configured to use [dt]mail as mailbox_command along with recipient_delimiter being set to +.
Comment 7 Tomas Hoger 2008-11-03 15:42:08 UTC
Bitsec security advisory for this issue: http://www.bitsec.com/en/rad/bsa-081103.txt http://marc.info/?l=full-disclosure&m=122572590212610&w=4 PoC is expected to be published on 2008-11-10 at: http://www.bitsec.com/en/rad/bsa-081103.c
Comment 8 Fedora Update System 2008-11-06 04:08:19 UTC
uw-imap-2007d-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-11-06 04:09:57 UTC
uw-imap-2007d-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-11-10 14:06:03 UTC
CVE id CVE-2008-5005 was assigned to this issue: Multiple stack-based buffer overflows in (1) University of Washington IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine 2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain privileges by specifying a long folder extension argument on the command line to the tmail or dmail program; and (b) remote attackers to execute arbitrary code by sending e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, processed by the tmail or possibly dmail program.
Comment 12 Tomas Hoger 2009-01-30 15:03:09 UTC
tmail and dmail utilities available imap packages as shipped with Red Hat Enterprise Linux 3 are not installed setuid root, so the local privilege escalation is not possible. This flaw can only be an issue if one of the utilities were used as delivery agents in certain mail setups, as documented in comment #5. Such setup is default or commonly used one.