Bug 10875 - Univ. Of Washington imapd Buffer Overflow Vulnerability
Summary: Univ. Of Washington imapd Buffer Overflow Vulnerability
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: imap (Show other bugs)
(Show other bugs)
Version: 7.0
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact:
URL: http://www.securityfocus.com/vdb/bott...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-04-17 18:34 UTC by Matthew Miller
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-30 23:27:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Matthew Miller 2000-04-17 18:34:24 UTC
See http://www.securityfocus.com/vdb/bottom.html?vid=1110

From the discussion there:

A buffer overflow exists in imapd4r1 version 12.264. The vulnerability
exists in the list command. By supplying a long, well crafted buffer as the
second argument to the list command, it becomes possible to execute code on
the machine.

Executing the list command requires an account on the machine. In addition,
privileges have been dropped in imapd prior to the location of the buffer
overrun. As such, this vulnerability would only be useful in a scenario
where a user has an account, but no shell level access. This would allow
them to gain shell access.

This version of imapd is the one shipped with RedHat Linux 6.2.

Comment 1 Cristian Gafton 2000-08-09 02:28:44 UTC
assigned to the new owner


Comment 2 Mike A. Harris 2001-07-30 23:25:38 UTC
Reassigning to myself.

Comment 3 Mike A. Harris 2001-07-30 23:27:15 UTC
This bug I believe was fixed ages ago but the report not updated
and was misassigned to nalin.

The latest errata should fix this problem for all releases, but
I will await confirmation before closing the report.

Comment 4 Mark J. Cox 2002-08-13 11:55:31 UTC
Also see RHSA-2002:092


Note You need to log in before you can comment on or make changes to this bug.