Bug 734926 (CVE-2011-3208)
| Summary: | CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | jskala, mhlavink, rvokal, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cyrus-imapd 2.4.11 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-28 21:32:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 735388, 735389, 735390, 735391, 735392, 736838, 833884, 844262 | ||
| Bug Blocks: | 734930 | ||
This issue has the name CVE-2011-3208 and will be made public on 8 Sep 2011. (In reply to comment #0) > When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5 > and 6, as well as Fedora), this flaw is not exploitable and will result in a > crash of the nntpd service. This bug is not caught by FORTIFY_SOURCE as upstream indicated, but the overflow may be detected later if compiled with stack protector (SSP). cyrus-imapd in Red Hat Enterprise Linux 5 and 6 have SSP enabled, which increases exploit difficulty. The code is executed in the nntpd child process running as user cyrus. The crash of the process only affects attacker's connection and does not impact nntpd service availability. Acknowledgement: Red Hat would like to thank Greg Banks for reporting this issue. Fixed upstream versions 2.3.17 and 2.4.11 released: http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&msg=199 http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&msg=200 Upstream git commit: http://git.cyrusimap.org/cyrus-imapd/commit/?id=0f8f026699829b65733c3081657b24e2174f4f4d Created cyrus-imapd tracking bugs for this issue Affects: fedora-all [bug 736838] This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1317 https://rhn.redhat.com/errata/RHSA-2011-1317.html |
A remotely exploitable buffer overflow flaw was found in Cyrus' nntpd. A malicious NNTP client would be able to exploit this to execute arbitrary code on a vulnerable nntpd server. If the 'allowanonymouslogin' option was set in imapd.conf, it could be done without authentication. When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5 and 6, as well as Fedora), this flaw is not exploitable and will result in a crash of the nntpd service. The following patch will correct the flaw: diff --git a/imap/nntpd.c b/imap/nntpd.c index 56405d3..6b30174 100644 --- a/imap/nntpd.c +++ b/imap/nntpd.c @@ -4131,7 +4131,8 @@ static struct wildmat *split_wildmats(char *str) else if (*c == '@') wild[n].not = -1; /* absolute not (feeding) */ else wild[n].not = 0; - strcpy(p, wild[n].not ? c + 1 : c); + strncpy(p, wild[n].not ? c + 1 : c, pattern+sizeof(pattern) - p); + pattern[sizeof(pattern)-1] = '\0'; wild[n++].pat = xstrdup(pattern); } while (c != str); wild[n].pat = NULL;