Created attachment 319591 [details] patch to fix buffer overflow If the client sends the AUTHENTICATE LOGIN command, imapproxy overflows the username and password buffers, triggering a crash. I think the only possible result is a crash (it is just writing too many zeros). I have sent a patch to the up-imapproxy mailing list and maintainer, but it would be nice to get this in Fedora and EPEL ASAP (for example, this breaks using imapproxy with horde).
I will update it now! Probably this has been gone to upstream now.
up-imapproxy-1.2.7.rc1-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/up-imapproxy-1.2.7.rc1-1.fc9
up-imapproxy-1.2.7.rc1-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/up-imapproxy-1.2.7.rc1-1.fc8
CLOSED -> RAWHIDE
(In reply to comment #1) > I will update it now! Probably this has been gone to upstream now. Thanks. I did get a response from the author; he said he had received a few emails about this problem and that he'd fix it next time he did any work on up-imapproxy (but no specific time-table).
It is already fixed. I check the latest code and did played with it.
May you try the latest one build
http://koji.fedoraproject.org/koji/packageinfo?packageID=4042 choose from here following the F8 or F9 build and your architecture successively. Thanks.
Sorry for the delay. I'm actually using this on EPEL (RHEL 5), so I built from the SRPM in updates-testing. It still crashes on login for me.
Created attachment 322617 [details] Patch to not overflow password buffer Looking at it, the overflow was only half fixed (username part but not password). It still needs the attached patch.
Also, the init script in 1.2.7rc1 doesn't actually start the daemon!
Odd thing is that it works for me (on a Centos-4). Maybe the bug is not triggered due to different compilation flags. But it definitely starts the daemon alright. Thanks for the patch, Chris. I'll try it on my box and let you know the outcome.
I've uploaded to http://wolfy.fedorapeople.org/up-imapproxy/ a patched src.rpm + prebuilt binaries for EL-4 and EL-5. If anyone is willing to test them...
@Chris May you try manuel's link and see if it works ?
up-imapproxy-1.2.7.rc1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
up-imapproxy-1.2.7.rc1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This bug is still present with Fedora 11: up-imapproxy-1.2.7-0.4.rc1.fc11.x86_64 dovecot-1.2-0.rc6.1.fc11.x86_64 Im using this with Horde IMP. With auth set to LOGIN in dovecot.conf i get this dump from imapproxy: *** buffer overflow detected ***: in.imapproxyd terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3cc44f7537] /lib64/libc.so.6[0x3cc44f5590] /lib64/libc.so.6[0x3cc44f4c8b] /lib64/libc.so.6(__snprintf_chk+0x7a)[0x3cc44f4b5a] in.imapproxyd[0x40683d] in.imapproxyd[0x4076a0] /lib64/libpthread.so.0[0x3cc4c0686a] /lib64/libc.so.6(clone+0x6d)[0x3cc44de25d] ======= Memory map: ======== 00400000-00410000 r-xp 00000000 fd:00 1017976 /usr/sbin/in.imapproxyd 0060f000-00610000 rw-p 0000f000 fd:00 1017976 /usr/sbin/in.imapproxyd 00610000-00618000 rw-p 00610000 00:00 0 0080f000-00811000 rw-p 0000f000 fd:00 1017976 /usr/sbin/in.imapproxyd 00dbb000-00ddc000 rw-p 00dbb000 00:00 0 [heap] 3cc4000000-3cc401f000 r-xp 00000000 fd:00 950289 /lib64/ld-2.10.1.so 3cc421e000-3cc421f000 r--p 0001e000 fd:00 950289 /lib64/ld-2.10.1.so 3cc421f000-3cc4220000 rw-p 0001f000 fd:00 950289 /lib64/ld-2.10.1.so 3cc4400000-3cc4564000 r-xp 00000000 fd:00 950295 /lib64/libc-2.10.1.so 3cc4564000-3cc4764000 ---p 00164000 fd:00 950295 /lib64/libc-2.10.1.so 3cc4764000-3cc4768000 r--p 00164000 fd:00 950295 /lib64/libc-2.10.1.so 3cc4768000-3cc4769000 rw-p 00168000 fd:00 950295 /lib64/libc-2.10.1.so 3cc4769000-3cc476e000 rw-p 3cc4769000 00:00 0 3cc4800000-3cc4802000 r-xp 00000000 fd:00 950299 /lib64/libdl-2.10.1.so 3cc4802000-3cc4a02000 ---p 00002000 fd:00 950299 /lib64/libdl-2.10.1.so 3cc4a02000-3cc4a03000 r--p 00002000 fd:00 950299 /lib64/libdl-2.10.1.so 3cc4a03000-3cc4a04000 rw-p 00003000 fd:00 950299 /lib64/libdl-2.10.1.so 3cc4c00000-3cc4c17000 r-xp 00000000 fd:00 950345 /lib64/libpthread-2.10.1.so 3cc4c17000-3cc4e16000 ---p 00017000 fd:00 950345 /lib64/libpthread-2.10.1.so 3cc4e16000-3cc4e17000 r--p 00016000 fd:00 950345 /lib64/libpthread-2.10.1.so 3cc4e17000-3cc4e18000 rw-p 00017000 fd:00 950345 /lib64/libpthread-2.10.1.so 3cc4e18000-3cc4e1c000 rw-p 3cc4e18000 00:00 0 3cc5400000-3cc5415000 r-xp 00000000 fd:00 950346 /lib64/libz.so.1.2.3 3cc5415000-3cc5614000 ---p 00015000 fd:00 950346 /lib64/libz.so.1.2.3 3cc5614000-3cc5615000 rw-p 00014000 fd:00 950346 /lib64/libz.so.1.2.3 3cc5800000-3cc581c000 r-xp 00000000 fd:00 950317 /lib64/libselinux.so.1 3cc581c000-3cc5a1b000 ---p 0001c000 fd:00 950317 /lib64/libselinux.so.1 3cc5a1b000-3cc5a1c000 r--p 0001b000 fd:00 950317 /lib64/libselinux.so.1 3cc5a1c000-3cc5a1d000 rw-p 0001c000 fd:00 950317 /lib64/libselinux.so.1 3cc5a1d000-3cc5a1e000 rw-p 3cc5a1d000 00:00 0 3cc7400000-3cc7419000 r-xp 00000000 fd:00 950354 /lib64/libgcc_s-4.4.0-20090506.so.1 3cc7419000-3cc7619000 ---p 00019000 fd:00 950354 /lib64/libgcc_s-4.4.0-20090506.so.1 3cc7619000-3cc761a000 rw-p 00019000 fd:00 950354 /lib64/libgcc_s-4.4.0-20090506.so.1 3cc8000000-3cc8015000 r-xp 00000000 fd:00 950451 /lib64/libresolv-2.10.1.so 3cc8015000-3cc8215000 ---p 00015000 fd:00 950451 /lib64/libresolv-2.10.1.so 3cc8215000-3cc8216000 r--p 00015000 fd:00 950451 /lib64/libresolv-2.10.1.so 3cc8216000-3cc8217000 rw-p 00016000 fd:00 950451 /lib64/libresolv-2.10.1.so 3cc8217000-3cc8219000 rw-p 3cc8217000 00:00 0 3cc9000000-3cc9003000 r-xp 00000000 fd:00 950464 /lib64/libcom_err.so.2.1 3cc9003000-3cc9202000 ---p 00003000 fd:00 950464 /lib64/libcom_err.so.2.1 3cc9202000-3cc9203000 rw-p 00002000 fd:00 950464 /lib64/libcom_err.so.2.1 3cca400000-3cca42b000 r-xp 00000000 fd:00 1020928 /usr/lib64/libgssapi_krb5.so.2.2 3cca42b000-3cca62a000 ---p 0002b000 fd:00 1020928 /usr/lib64/libgssapi_krb5.so.2.2 3cca62a000-3cca62c000 rw-p 0002a000 fd:00 1020928 /usr/lib64/libgssapi_krb5.so.2.2 3cca800000-3cca89b000 r-xp 00000000 fd:00 1020925 /usr/lib64/libkrb5.so.3.3 3cca89b000-3ccaa9b000 ---p 0009b000 fd:00 1020925 /usr/lib64/libkrb5.so.3.3 3ccaa9b000-3ccaa9f000 rw-p 0009b000 fd:00 1020925 /usr/lib64/libkrb5.so.3.3 3ccac00000-3ccac24000 r-xp 00000000 fd:00 1020924 /usr/lib64/libk5crypto.so.3.1 3ccac24000-3ccae24000 ---p 00024000 fd:00 1020924 /usr/lib64/libk5crypto.so.3.1 3ccae24000-3ccae26000 rw-p 00024000 fd:00 1020924 /usr/lib64/libk5crypto.so.3.1 3ccb400000-3ccb409000 r-xp 00000000 fd:00 1019414 /usr/lib64/libkrb5support.so.0.1 3ccb409000-3ccb608000 ---p 00009000 fd:00 1019414 /usr/lib64/libkrb5support.so.0.1 3ccb608000-3ccb609000 rw-p 00008000 fd:00 1019414 /usr/lib64/libkrb5support.so.0.1 3ccb800000-3ccb802000 r-xp 00000000 fd:00 950448 /lib64/libkeyutils-1.2.so 3ccb802000-3ccba01000 ---p 00002000 fd:00 950448 /lib64/libkeyutils-1.2.so 3ccba01000-3ccba02000 rw-p 00001000 fd:00 950448 /lib64/libkeyutils-1.2.so 3ccc000000-3ccc15b000 r-xp 00000000 fd:00 1020929 /usr/lib64/libcrypto.so.0.9.8k 3ccc15b000-3ccc35a000 ---p 0015b000 fd:00 1020929 /usr/lib64/libcrypto.so.0.9.8k 3ccc35a000-3ccc380000 rw-p 0015a000 fd:00 1020929 /usr/lib64/libcrypto.so.0.9.8k 3ccc380000-3ccc384000 rw-p 3ccc380000 00:00 0 3cccc00000-3cccc4b000 r-xp 00000000 fd:00 1020933 /usr/lib64/libssl.so.0.9.8k 3cccc4b000-3ccce4a000 ---p 0004b000 fd:00 1020933 /usr/lib64/libssl.so.0.9.8k 3ccce4a000-3ccce51000 rw-p 0004a000 fd:00 1020933 /usr/lib64/libssl.so.0.9.8k 7f273c000000-7f273c021000 rw-p 7f273c000000 00:00 0 7f273c021000-7f2740000000 ---p 7f273c021000 00:00 0 7f2742175000-7f2742176000 ---p 7f2742175000 00:00 0 7f2742176000-7f2742b76000 rw-p 7f2742176000 00:00 0 7f2742b76000-7f2742b77000 ---p 7f2742b76000 00:00 0 7f2742b77000-7f2743577000 rw-p 7f2742b77000 00:00 0 7f2743577000-7f2743583000 r-xp 00000000 fd:00 950402 /lib64/libnss_files-2.10.1.so 7f2743583000-7f2743782000 ---p 0000c000 fd:00 950402 /lib64/libnss_files-2.10.1.so 7f2743782000-7f2743783000 r--p 0000b000 fd:00 950402 /lib64/libnss_files-2.10.1.so 7f2743783000-7f2743784000 rw-p 0000c000 fd:00 950402 /lib64/libnss_files-2.10.1.so 7f2743784000-7f27437da000 rw-p 7f2743784000 00:00 0 7f27437e9000-7f27437ea000 rw-s 00000000 fd:00 943840 /var/run/pimpstats 7f27437ea000-7f27437ec000 rw-p 7f27437ea000 00:00 0 7fffa545b000-7fffa5470000 rw-p 7ffffffea000 00:00 0 [stack] 7fffa5574000-7fffa5575000 r-xp 7fffa5574000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted
I just checked the F17 package, and my patch from comment 10 is still required.
This is still a problem, up through F19 and EPEL6 packages. Is this package still being maintained?
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
and *that* is why package guidelines should not be ignored "Full RELRO" and "PIE" are there to make buffer overflows a little less critical and *may* catch some exploits https://bugzilla.redhat.com/show_bug.cgi?id=972967
Is this package maintained? This password buffer overflow has gone unfixed for over 4 years. Either apply the patch I gave in comment 10 or update to upstream's SVN (which has other fixes).
Commenting only re EPEL5 (which should really be a separate bug), I specifically asked on the upstream mailing list a while ago about this [1] and upstream said [2] "no bug here" It is also not listed at http://www.imapproxy.org/security.html as a security issue. As a consequence of the above I did not hasten to add it to EPEL5 (the only branch I maintain) in expectation that there would soon be a new upstream release which would incidentally contain it. However, there has been no new upstream release in a long time. If the comments in [2] are incorrect a followup on the upstream list would be in order and we should get the fix in Fedora/EPEL, however in any case this should be co-ordinated with the Fedora master branch so that we are consistent and EPEL5 does not end up "ahead" of Fedora master. Rakesh? [1] http://www.mail-archive.com/squirrelmail-imapproxy@lists.sourceforge.net/msg00073.html [2] http://www.mail-archive.com/squirrelmail-imapproxy@lists.sourceforge.net/msg00074.html
that does all not change the fact that the pakage violates *clearly* the guidelines https://bugzilla.redhat.com/show_bug.cgi?id=972967 however, no longer my problem up-imapproxy-1.2.8-3.fc17.20130724.rh.x86_64 hardening-check /usr/sbin/in.imapproxyd /usr/sbin/in.imapproxyd: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes
The bug was fixed in upstream SVN in 2010, but they haven't had a new release since (and no changes in SVN in a year and a half).
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Okay, since this was orphaned, and I complained, I've taken the package. I will be working to update to upstream's SVN (since it is unchanged in a long time, with no signs of a release), fixing this and other problems.
up-imapproxy-1.2.8-0.1.20130726svn14389.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/up-imapproxy-1.2.8-0.1.20130726svn14389.fc18
up-imapproxy-1.2.8-0.1.20130726svn14389.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/up-imapproxy-1.2.8-0.1.20130726svn14389.fc19
up-imapproxy-1.2.8-0.1.20130726svn14389.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/up-imapproxy-1.2.8-0.1.20130726svn14389.fc20
Package up-imapproxy-1.2.8-0.1.20130726svn14389.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing up-imapproxy-1.2.8-0.1.20130726svn14389.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-16968/up-imapproxy-1.2.8-0.1.20130726svn14389.fc20 then log in and leave karma (feedback).
up-imapproxy-1.2.8-0.1.20130726svn14389.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
up-imapproxy-1.2.8-0.1.20130726svn14389.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
up-imapproxy-1.2.8-0.1.20130726svn14389.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.