Bug 184073 - CVE-2005-2933 imap buffer overflow
CVE-2005-2933 imap buffer overflow
Status: CLOSED DUPLICATE of bug 170411
Product: Fedora Legacy
Classification: Retired
Component: imap (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-05 17:08 EST by Pavel Kankovsky
Modified: 2007-04-18 13:39 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-05 17:38:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 169953 None None None Never

  None (edit)
Description Pavel Kankovsky 2006-03-05 17:08:07 EST
Remote exploitation of a buffer overflow vulnerability in the University
of Washington's IMAP Server (UW-IMAP) allows attackers to execute
arbitrary code. (quote from iDefense advisory, see
http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=313)

All versions of imap < imap-2004g are affected. This includes RHL 7.3, RHL 9,
and probably most FC versions.

RH used the following patch to fix the issue in RHEL 2.1:
--snip--
Fix for CAN-2005-2933, from iDefense's advisory.

diff -uNr imap-2001a/src/c-client/mail.c imap-2004g/src/c-client/mail.c
--- imap-2001a/src/c-client/mail.c	2001-11-13 14:29:07.000000000 -0500
+++ imap-2004g/src/c-client/mail.c	2005-09-15 12:57:07.000000000 -0400
@@ -587,8 +587,10 @@
       if (c == '=') {		/* parse switches which take arguments */
 	if (*t == '"') {	/* quoted string? */
 	  for (v = arg,i = 0,++t; (c = *t++) != '"';) {
+	    if (!c) return NIL;	/* unterminated string */
 				/* quote next character */
 	    if (c == '\\') c = *t++;
+	    if (!c) return NIL;	/* can't quote NUL either */
 	    arg[i++] = c;
 	  }
 	  c = *t++;		/* remember delimiter for later */
--snip--
more or less the same patch is applicable to other versions as well.
Comment 1 Pavel Kankovsky 2006-03-05 17:38:05 EST
Grrr...

*** This bug has been marked as a duplicate of 170411 ***

Note You need to log in before you can comment on or make changes to this bug.