Bug 170411 - CAN-2005-2933 University of Washington IMAP Mailbox Name Buffer Overflow
CAN-2005-2933 University of Washington IMAP Mailbox Name Buffer Overflow
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: imap (Show other bugs)
unspecified
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.idefense.com/application/p...
LEGACY, rh73, rh90, 1
: Security
: 184073 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-11 10:06 EDT by John Dalbec
Modified: 2007-04-18 13:32 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 20:26:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for bug CAN-2005-2933; modified from the patch at idefense's site (863 bytes, patch)
2005-10-13 03:22 EDT, Ville Herva
no flags Details | Diff
Modified spec file for imap-2001a-10.1.legacy to include the patch for this bug (17.76 KB, text/plain)
2005-10-13 03:23 EDT, Ville Herva
no flags Details

  None (edit)
Description John Dalbec 2005-10-11 10:06:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050729 Netscape/8.0.3.3

Description of problem:
05.40.14 CVE: CAN-2005-2933
Platform: Cross Platform
Title: University of Washington IMAP Mailbox Name Buffer Overflow
Description: University of Washington IMAP is prone to a buffer
overflow vulnerability due to insufficient parsing of mailbox names in
the "mail_valid_net_parse_work()" function, which is found in the
"src/c-client/mail.c" source file. University of Washington IMAP
versions 2004f and earlier are vulnerable.
Ref:
http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=true

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 2 Ville Herva 2005-10-13 03:23:34 EDT
Created attachment 119877 [details]
Modified spec file for imap-2001a-10.1.legacy to include the patch for this bug
Comment 3 Ville Herva 2005-10-13 03:24:22 EDT
I took the source from                                                          
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/imap-2001a-10.1.legacy
.src.rpm                                                                       
                                                                                
and modified the mail.c patch from                                              
http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flas
hstatus=false                                                                  
to apply to 2001a.                                                              
                                                                                
It was just a blind patch weeding job - I didn't actually verify that           
imap-2001a isn't invulnerable to this or vulnerable to something else.          
                                                                                
I case anyone is interested, here's the modified .spec and the patch.           
                                                                                
Just do                                                                         
                                                                                
  rpm -i imap-2001a-10.1.legacy.src.rpm                                         
  cp imap.spec.patched /usr/src/redhat/SPECS/imap.spec                          
  cp imap-2001a-CAN-2005-2933_fix.patch /usr/src/redhat/SOURCES/                
  rpm -bb /usr/src/redhat/SPECS/imap.spec                                       
Comment 4 Michal Jaegermann 2005-10-15 13:23:41 EDT
I am not sure what distribution is using what but newer ones instead of imap2000
may be using libc-client (it really should be "lib-c-client" but it is not :-)
and underneath this is exactly the same code.  It is not entirely clear how that
variant is affected but when used as library one cannot really tell how the code
will be applied.  See comments to bug #170521 for some discussion.

A patch for that is everywhere really the same save possible line offsets.
Comment 5 David Eisenstein 2005-12-06 22:40:32 EST
Red Hat has issued RHSA-2005:850 imap security update to address CVE-2005-2933
security issue.  <http://rhn.redhat.com/errata/RHSA-2005-850.html>, also
<http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00002.html>
RedHat's Bug #169953.

Newer distros do indeed use libc-client.  RH7.3, RH9, and FC1 use Univ. of
Washington's imap, for both the imap daemon and the client code (which ends up
statically linked into whatever programs require it from the imap-devel pac-
kage).  But FC2 and newer use cyrus-imapd, and the libc-client package for the
client code (which *can* be dynamically linked, because it provides an .so).

Red hat also issued an libc-client update, RHSA-2005:848 which addresses the
same CVE-2005-2933 issue.  <http://rhn.redhat.com/errata/RHSA-2005-848.html>,
also
<http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00001.html>
RedHat's Bug #171344.

Perhaps we should roll both UW IMAP and libc-client packages into this bug?
   -David
Comment 6 Pavel Kankovsky 2006-03-05 17:38:18 EST
*** Bug 184073 has been marked as a duplicate of this bug. ***
Comment 7 Marc Deslauriers 2006-03-07 17:44:12 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

b56b237576639a395b10521099ea94ee1fe8d7a0  7.3/imap-2001a-10.3.legacy.i386.rpm
b58606915f3f45182c8abb9fbe4fb6135f2a1a3a  7.3/imap-2001a-10.3.legacy.src.rpm
e1b5f26e93a18e7de3791e9d4d9e27c65a681c9d  7.3/imap-devel-2001a-10.3.legacy.i386.rpm
b9296298c5d8dd9e0387a4f1aa49046642d34f8b  9/imap-2001a-18.2.legacy.i386.rpm
6762c161ad2de96c2793b43734b2474781b467a7  9/imap-2001a-18.2.legacy.src.rpm
51378415e73e368d4ea8928ff49d3299171a9eee  9/imap-devel-2001a-18.2.legacy.i386.rpm
dbc53c873c7c16acc928717f5d35f22fd4feaa1e  1/imap-2002d-3.2.legacy.i386.rpm
8b3d2d0d6a46cf587a31034bb378a748a0796951  1/imap-2002d-3.2.legacy.src.rpm
30d7203c99f4d8271d2848ed1ea2821b3d8120e1  1/imap-devel-2002d-3.2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-2001a-10.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imap-2001a-18.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/imap-2002d-3.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFEDg0qLMAs/0C4zNoRAjReAJ96+ZymgticmgfGeGAmBYfXeolEmwCfTZt+
Pc26dZNOcTXot9oSCQjSo9g=
=lQPz
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2006-03-08 01:20:22 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare for both imap and libc-client:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
RHEL3 also fixed an IMAP crash with CRAM-MD5 which we could have included,
but I don't think that has security impact, so we can leave it out.
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
b58606915f3f45182c8abb9fbe4fb6135f2a1a3a  imap-2001a-10.3.legacy.src.rpm
6762c161ad2de96c2793b43734b2474781b467a7  imap-2001a-18.2.legacy.src.rpm
8b3d2d0d6a46cf587a31034bb378a748a0796951  imap-2002d-3.2.legacy.src.rpm
33f844e64eeb1767774eabeea17bcde23c23085d  libc-client-2002e-5.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEDnjfGHbTkzxSL7QRAkL2AJ92Eykd2HL4xbNv5+JgFrvP6qYJuQCfTRZA
fgSkvf8Iei1CCJ8NA7G8xws=
=DGVi
-----END PGP SIGNATURE-----
Comment 9 Marc Deslauriers 2006-03-15 20:27:57 EST
Packages were pushed to updates-testing.
Comment 10 Pekka Savola 2006-03-16 01:04:05 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK.  Rpm-build-compare.sh on
the binaries also looks OK.  Basic testing OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT
HzHJeJ3x2odgeK9WHvUpA80=
=JUkB
-----END PGP SIGNATURE-----
Comment 11 David Eisenstein 2006-03-18 00:02:37 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1.

369fb568801a2d2865a55b2ceabab87e496d8705__imap-2002d-3.2.legacy.i386.rpm
967a77fbc8a4d2dcc3fdfac8b715d7a84537c0c0__imap-devel-2002d-3.2.legacy.i386.rpm


  * SHA1SUMs fine.
  * Signatures fine.
  * Installed great.
  * I'm a heavy user of imap to have Mozilla Mail talk to my home mail
    directory.  Have seen no problems whatsoever in using imap with Mozilla
    Mail or pine.
  * Tested its builtin SSL/TLS with pine and Mozilla mail.  Works great.  
    Imapd selects cipher TLS_RSA_WITH_AES_256_CBC_SHA, which seems pretty
    darn secure.
  * Don't know how to test for the buffer overflow.  Assume it's fixed.

VERIFY++ FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEG5S/xou1V/j9XZwRAmcWAKCTl6oGm7IHSmPR4dOjJ1IVwuONIgCfWJ+T
/dE8Eg4efRB3eakivHENZKE=
=3DYD
-----END PGP SIGNATURE-----

Oh, bumped the timeout date up a week, per our new policy.  Hope that's
okay.
Comment 12 Pekka Savola 2006-03-18 00:41:36 EST
Thanks!
Comment 13 Tom Yates 2006-03-23 05:30:59 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dd3d1a3bac748d1db5643a76a86c02568abec7d2  imap-2001a-18.2.legacy.i386.rpm

installs fine.  i use IMAP *all* the time on that server, and it's still
working fine with SSL.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEInoRePtvKV31zw4RAq/2AKDaiH6lH/aqyULpIpnhz9TjuqZfQgCeKlB1
F/SwPo9wRH22kdyHPtXxLos=
=m4Q+
-----END PGP SIGNATURE-----
Comment 14 Pekka Savola 2006-03-23 08:23:03 EST
Timeout over.
Comment 15 Marc Deslauriers 2006-04-04 20:26:25 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.