From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050729 Netscape/8.0.3.3 Description of problem: 05.40.14 CVE: CAN-2005-2933 Platform: Cross Platform Title: University of Washington IMAP Mailbox Name Buffer Overflow Description: University of Washington IMAP is prone to a buffer overflow vulnerability due to insufficient parsing of mailbox names in the "mail_valid_net_parse_work()" function, which is found in the "src/c-client/mail.c" source file. University of Washington IMAP versions 2004f and earlier are vulnerable. Ref: http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=true Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info:
Created attachment 119876 [details] Fix for bug CAN-2005-2933; modified from the patch at idefense's site Fixes CAN-2005-2933 See http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false http://www.linuxsecurity.com/content/view/120575 Modified from the mail.c patch at http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flashstatus=false
Created attachment 119877 [details] Modified spec file for imap-2001a-10.1.legacy to include the patch for this bug
I took the source from http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/imap-2001a-10.1.legacy .src.rpm and modified the mail.c patch from http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities&flas hstatus=false to apply to 2001a. It was just a blind patch weeding job - I didn't actually verify that imap-2001a isn't invulnerable to this or vulnerable to something else. I case anyone is interested, here's the modified .spec and the patch. Just do rpm -i imap-2001a-10.1.legacy.src.rpm cp imap.spec.patched /usr/src/redhat/SPECS/imap.spec cp imap-2001a-CAN-2005-2933_fix.patch /usr/src/redhat/SOURCES/ rpm -bb /usr/src/redhat/SPECS/imap.spec
I am not sure what distribution is using what but newer ones instead of imap2000 may be using libc-client (it really should be "lib-c-client" but it is not :-) and underneath this is exactly the same code. It is not entirely clear how that variant is affected but when used as library one cannot really tell how the code will be applied. See comments to bug #170521 for some discussion. A patch for that is everywhere really the same save possible line offsets.
Red Hat has issued RHSA-2005:850 imap security update to address CVE-2005-2933 security issue. <http://rhn.redhat.com/errata/RHSA-2005-850.html>, also <http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00002.html> RedHat's Bug #169953. Newer distros do indeed use libc-client. RH7.3, RH9, and FC1 use Univ. of Washington's imap, for both the imap daemon and the client code (which ends up statically linked into whatever programs require it from the imap-devel pac- kage). But FC2 and newer use cyrus-imapd, and the libc-client package for the client code (which *can* be dynamically linked, because it provides an .so). Red hat also issued an libc-client update, RHSA-2005:848 which addresses the same CVE-2005-2933 issue. <http://rhn.redhat.com/errata/RHSA-2005-848.html>, also <http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00001.html> RedHat's Bug #171344. Perhaps we should roll both UW IMAP and libc-client packages into this bug? -David
*** Bug 184073 has been marked as a duplicate of this bug. ***
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: b56b237576639a395b10521099ea94ee1fe8d7a0 7.3/imap-2001a-10.3.legacy.i386.rpm b58606915f3f45182c8abb9fbe4fb6135f2a1a3a 7.3/imap-2001a-10.3.legacy.src.rpm e1b5f26e93a18e7de3791e9d4d9e27c65a681c9d 7.3/imap-devel-2001a-10.3.legacy.i386.rpm b9296298c5d8dd9e0387a4f1aa49046642d34f8b 9/imap-2001a-18.2.legacy.i386.rpm 6762c161ad2de96c2793b43734b2474781b467a7 9/imap-2001a-18.2.legacy.src.rpm 51378415e73e368d4ea8928ff49d3299171a9eee 9/imap-devel-2001a-18.2.legacy.i386.rpm dbc53c873c7c16acc928717f5d35f22fd4feaa1e 1/imap-2002d-3.2.legacy.i386.rpm 8b3d2d0d6a46cf587a31034bb378a748a0796951 1/imap-2002d-3.2.legacy.src.rpm 30d7203c99f4d8271d2848ed1ea2821b3d8120e1 1/imap-devel-2002d-3.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imap-2001a-10.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imap-2001a-18.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/imap-2002d-3.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEDg0qLMAs/0C4zNoRAjReAJ96+ZymgticmgfGeGAmBYfXeolEmwCfTZt+ Pc26dZNOcTXot9oSCQjSo9g= =lQPz -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare for both imap and libc-client: - source integrity good - spec file changes minimal - patches verified to come from RHEL RHEL3 also fixed an IMAP crash with CRAM-MD5 which we could have included, but I don't think that has security impact, so we can leave it out. +PUBLISH RHL73, RHL9, FC1, FC2 b58606915f3f45182c8abb9fbe4fb6135f2a1a3a imap-2001a-10.3.legacy.src.rpm 6762c161ad2de96c2793b43734b2474781b467a7 imap-2001a-18.2.legacy.src.rpm 8b3d2d0d6a46cf587a31034bb378a748a0796951 imap-2002d-3.2.legacy.src.rpm 33f844e64eeb1767774eabeea17bcde23c23085d libc-client-2002e-5.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEDnjfGHbTkzxSL7QRAkL2AJ92Eykd2HL4xbNv5+JgFrvP6qYJuQCfTRZA fgSkvf8Iei1CCJ8NA7G8xws= =DGVi -----END PGP SIGNATURE-----
Packages were pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signature OK, upgrades OK. Rpm-build-compare.sh on the binaries also looks OK. Basic testing OK. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT HzHJeJ3x2odgeK9WHvUpA80= =JUkB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1. 369fb568801a2d2865a55b2ceabab87e496d8705__imap-2002d-3.2.legacy.i386.rpm 967a77fbc8a4d2dcc3fdfac8b715d7a84537c0c0__imap-devel-2002d-3.2.legacy.i386.rpm * SHA1SUMs fine. * Signatures fine. * Installed great. * I'm a heavy user of imap to have Mozilla Mail talk to my home mail directory. Have seen no problems whatsoever in using imap with Mozilla Mail or pine. * Tested its builtin SSL/TLS with pine and Mozilla mail. Works great. Imapd selects cipher TLS_RSA_WITH_AES_256_CBC_SHA, which seems pretty darn secure. * Don't know how to test for the buffer overflow. Assume it's fixed. VERIFY++ FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEG5S/xou1V/j9XZwRAmcWAKCTl6oGm7IHSmPR4dOjJ1IVwuONIgCfWJ+T /dE8Eg4efRB3eakivHENZKE= =3DYD -----END PGP SIGNATURE----- Oh, bumped the timeout date up a week, per our new policy. Hope that's okay.
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dd3d1a3bac748d1db5643a76a86c02568abec7d2 imap-2001a-18.2.legacy.i386.rpm installs fine. i use IMAP *all* the time on that server, and it's still working fine with SSL. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEInoRePtvKV31zw4RAq/2AKDaiH6lH/aqyULpIpnhz9TjuqZfQgCeKlB1 F/SwPo9wRH22kdyHPtXxLos= =m4Q+ -----END PGP SIGNATURE-----
Timeout over.
Packages were released to updates.