Multiple fixes of potential buffer overflows appeared in cyrus-imapd. Upstream fixes: https://cyrus.foundation/cyrus-imapd/commit/?id=d81a712401418cc0bd1daa49ded8e5bcc4b69f21 https://cyrus.foundation/cyrus-imapd/commit/?id=ff4e6c71d932b3e6bbfa67d76f095e27ff21bad0 CVE request: http://seclists.org/oss-sec/2015/q3/651
Created cyrus-imapd tracking bugs for this issue: Affects: fedora-all [bug 1267878]
Sorry, did I do something wrong here? I've pushed a release to all branches with the two patches mentioned and backported a third. That's currently in testing.
(In reply to Jason Tibbitts from comment #2) > Sorry, did I do something wrong here? I've pushed a release to all branches > with the two patches mentioned and backported a third. That's currently in > testing. I don't see anything wrong. Are you worried about my accidental WONTFIX from 2015-10-07? That was my mistake and unrelated.
The changes in master/master.c seem to be security enhancements only. The code we ship in RHELs looks solid enough (all calls to the code seem to pass the correct size etc), no need to backport this to RHELs. The changes in imtest/imtest.c are actually fixing a real possibility of an overflow, but the code is part of the test framework. Bottom line, I don't see a need to backport this, either.
cyrus-imapd-2.4.18-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.4.18-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.4.18-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.