Bug 465859 - Buffer overflow with AUTHENTICATE LOGIN
Buffer overflow with AUTHENTICATE LOGIN
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: up-imapproxy (Show other bugs)
19
All Linux
medium Severity high
: ---
: ---
Assigned To: Chris Adams
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-06 15:03 EDT by Chris Adams
Modified: 2013-09-30 22:10 EDT (History)
5 users (show)

See Also:
Fixed In Version: up-imapproxy-1.2.8-0.1.20130726svn14389.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-30 21:59:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to fix buffer overflow (857 bytes, patch)
2008-10-06 15:03 EDT, Chris Adams
no flags Details | Diff
Patch to not overflow password buffer (545 bytes, patch)
2008-11-05 12:43 EST, Chris Adams
no flags Details | Diff

  None (edit)
Description Chris Adams 2008-10-06 15:03:46 EDT
Created attachment 319591 [details]
patch to fix buffer overflow

If the client sends the AUTHENTICATE LOGIN command, imapproxy overflows the username and password buffers, triggering a crash.  I think the only possible result is a crash (it is just writing too many zeros).

I have sent a patch to the up-imapproxy mailing list and maintainer, but it would be nice to get this in Fedora and EPEL ASAP (for example, this breaks using imapproxy with horde).
Comment 1 Rakesh Pandit 2008-10-23 01:24:13 EDT
I will update it now! Probably this has been gone to upstream now.
Comment 2 Fedora Update System 2008-10-23 02:24:21 EDT
up-imapproxy-1.2.7.rc1-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/up-imapproxy-1.2.7.rc1-1.fc9
Comment 3 Fedora Update System 2008-10-23 02:24:38 EDT
up-imapproxy-1.2.7.rc1-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/up-imapproxy-1.2.7.rc1-1.fc8
Comment 4 Rakesh Pandit 2008-10-23 02:26:30 EDT
CLOSED -> RAWHIDE
Comment 5 Chris Adams 2008-10-23 08:49:22 EDT
(In reply to comment #1)
> I will update it now! Probably this has been gone to upstream now.

Thanks.  I did get a response from the author; he said he had received a few emails about this problem and that he'd fix it next time he did any work on up-imapproxy (but no specific time-table).
Comment 6 Rakesh Pandit 2008-10-23 09:40:21 EDT
It is already fixed. I check the latest code and did played with it.
Comment 7 Rakesh Pandit 2008-10-23 09:41:01 EDT
May you try the latest one build
Comment 8 Rakesh Pandit 2008-10-23 09:43:46 EDT
http://koji.fedoraproject.org/koji/packageinfo?packageID=4042 choose from here following the F8 or F9 build and your architecture successively.

Thanks.
Comment 9 Chris Adams 2008-11-05 12:24:01 EST
Sorry for the delay.

I'm actually using this on EPEL (RHEL 5), so I built from the SRPM in updates-testing.  It still crashes on login for me.
Comment 10 Chris Adams 2008-11-05 12:43:32 EST
Created attachment 322617 [details]
Patch to not overflow password buffer

Looking at it, the overflow was only half fixed (username part but not password).  It still needs the attached patch.
Comment 11 Chris Adams 2008-11-05 12:44:05 EST
Also, the init script in 1.2.7rc1 doesn't actually start the daemon!
Comment 12 manuel wolfshant 2008-11-05 16:46:24 EST
Odd thing is that it works for me (on a Centos-4). Maybe the bug is not triggered due to different compilation flags. But it definitely starts the daemon alright.

Thanks for the patch, Chris. I'll try it on my box and let you know the outcome.
Comment 13 manuel wolfshant 2008-11-05 18:01:19 EST
I've uploaded to http://wolfy.fedorapeople.org/up-imapproxy/ a patched src.rpm + prebuilt binaries for EL-4 and EL-5. If anyone is willing to test them...
Comment 14 Rakesh Pandit 2008-12-06 11:49:54 EST
@Chris

May you try manuel's link and see if it works ?
Comment 15 Fedora Update System 2009-01-07 04:05:24 EST
up-imapproxy-1.2.7.rc1-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2009-01-07 04:12:49 EST
up-imapproxy-1.2.7.rc1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Lars Christian Hegde 2009-07-07 15:28:10 EDT
This bug is still present with Fedora 11:

up-imapproxy-1.2.7-0.4.rc1.fc11.x86_64
dovecot-1.2-0.rc6.1.fc11.x86_64

Im using this with Horde IMP. With auth set to LOGIN in dovecot.conf i get this dump from imapproxy:


*** buffer overflow detected ***: in.imapproxyd terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3cc44f7537]
/lib64/libc.so.6[0x3cc44f5590]
/lib64/libc.so.6[0x3cc44f4c8b]
/lib64/libc.so.6(__snprintf_chk+0x7a)[0x3cc44f4b5a]
in.imapproxyd[0x40683d]
in.imapproxyd[0x4076a0]
/lib64/libpthread.so.0[0x3cc4c0686a]
/lib64/libc.so.6(clone+0x6d)[0x3cc44de25d]
======= Memory map: ========
00400000-00410000 r-xp 00000000 fd:00 1017976                            /usr/sbin/in.imapproxyd
0060f000-00610000 rw-p 0000f000 fd:00 1017976                            /usr/sbin/in.imapproxyd
00610000-00618000 rw-p 00610000 00:00 0
0080f000-00811000 rw-p 0000f000 fd:00 1017976                            /usr/sbin/in.imapproxyd
00dbb000-00ddc000 rw-p 00dbb000 00:00 0                                  [heap]
3cc4000000-3cc401f000 r-xp 00000000 fd:00 950289                         /lib64/ld-2.10.1.so
3cc421e000-3cc421f000 r--p 0001e000 fd:00 950289                         /lib64/ld-2.10.1.so
3cc421f000-3cc4220000 rw-p 0001f000 fd:00 950289                         /lib64/ld-2.10.1.so
3cc4400000-3cc4564000 r-xp 00000000 fd:00 950295                         /lib64/libc-2.10.1.so
3cc4564000-3cc4764000 ---p 00164000 fd:00 950295                         /lib64/libc-2.10.1.so
3cc4764000-3cc4768000 r--p 00164000 fd:00 950295                         /lib64/libc-2.10.1.so
3cc4768000-3cc4769000 rw-p 00168000 fd:00 950295                         /lib64/libc-2.10.1.so
3cc4769000-3cc476e000 rw-p 3cc4769000 00:00 0
3cc4800000-3cc4802000 r-xp 00000000 fd:00 950299                         /lib64/libdl-2.10.1.so
3cc4802000-3cc4a02000 ---p 00002000 fd:00 950299                         /lib64/libdl-2.10.1.so
3cc4a02000-3cc4a03000 r--p 00002000 fd:00 950299                         /lib64/libdl-2.10.1.so
3cc4a03000-3cc4a04000 rw-p 00003000 fd:00 950299                         /lib64/libdl-2.10.1.so
3cc4c00000-3cc4c17000 r-xp 00000000 fd:00 950345                         /lib64/libpthread-2.10.1.so
3cc4c17000-3cc4e16000 ---p 00017000 fd:00 950345                         /lib64/libpthread-2.10.1.so
3cc4e16000-3cc4e17000 r--p 00016000 fd:00 950345                         /lib64/libpthread-2.10.1.so
3cc4e17000-3cc4e18000 rw-p 00017000 fd:00 950345                         /lib64/libpthread-2.10.1.so
3cc4e18000-3cc4e1c000 rw-p 3cc4e18000 00:00 0
3cc5400000-3cc5415000 r-xp 00000000 fd:00 950346                         /lib64/libz.so.1.2.3
3cc5415000-3cc5614000 ---p 00015000 fd:00 950346                         /lib64/libz.so.1.2.3
3cc5614000-3cc5615000 rw-p 00014000 fd:00 950346                         /lib64/libz.so.1.2.3
3cc5800000-3cc581c000 r-xp 00000000 fd:00 950317                         /lib64/libselinux.so.1
3cc581c000-3cc5a1b000 ---p 0001c000 fd:00 950317                         /lib64/libselinux.so.1
3cc5a1b000-3cc5a1c000 r--p 0001b000 fd:00 950317                         /lib64/libselinux.so.1
3cc5a1c000-3cc5a1d000 rw-p 0001c000 fd:00 950317                         /lib64/libselinux.so.1
3cc5a1d000-3cc5a1e000 rw-p 3cc5a1d000 00:00 0
3cc7400000-3cc7419000 r-xp 00000000 fd:00 950354                         /lib64/libgcc_s-4.4.0-20090506.so.1
3cc7419000-3cc7619000 ---p 00019000 fd:00 950354                         /lib64/libgcc_s-4.4.0-20090506.so.1
3cc7619000-3cc761a000 rw-p 00019000 fd:00 950354                         /lib64/libgcc_s-4.4.0-20090506.so.1
3cc8000000-3cc8015000 r-xp 00000000 fd:00 950451                         /lib64/libresolv-2.10.1.so
3cc8015000-3cc8215000 ---p 00015000 fd:00 950451                         /lib64/libresolv-2.10.1.so
3cc8215000-3cc8216000 r--p 00015000 fd:00 950451                         /lib64/libresolv-2.10.1.so
3cc8216000-3cc8217000 rw-p 00016000 fd:00 950451                         /lib64/libresolv-2.10.1.so
3cc8217000-3cc8219000 rw-p 3cc8217000 00:00 0
3cc9000000-3cc9003000 r-xp 00000000 fd:00 950464                         /lib64/libcom_err.so.2.1
3cc9003000-3cc9202000 ---p 00003000 fd:00 950464                         /lib64/libcom_err.so.2.1
3cc9202000-3cc9203000 rw-p 00002000 fd:00 950464                         /lib64/libcom_err.so.2.1
3cca400000-3cca42b000 r-xp 00000000 fd:00 1020928                        /usr/lib64/libgssapi_krb5.so.2.2
3cca42b000-3cca62a000 ---p 0002b000 fd:00 1020928                        /usr/lib64/libgssapi_krb5.so.2.2
3cca62a000-3cca62c000 rw-p 0002a000 fd:00 1020928                        /usr/lib64/libgssapi_krb5.so.2.2
3cca800000-3cca89b000 r-xp 00000000 fd:00 1020925                        /usr/lib64/libkrb5.so.3.3
3cca89b000-3ccaa9b000 ---p 0009b000 fd:00 1020925                        /usr/lib64/libkrb5.so.3.3
3ccaa9b000-3ccaa9f000 rw-p 0009b000 fd:00 1020925                        /usr/lib64/libkrb5.so.3.3
3ccac00000-3ccac24000 r-xp 00000000 fd:00 1020924                        /usr/lib64/libk5crypto.so.3.1
3ccac24000-3ccae24000 ---p 00024000 fd:00 1020924                        /usr/lib64/libk5crypto.so.3.1
3ccae24000-3ccae26000 rw-p 00024000 fd:00 1020924                        /usr/lib64/libk5crypto.so.3.1
3ccb400000-3ccb409000 r-xp 00000000 fd:00 1019414                        /usr/lib64/libkrb5support.so.0.1
3ccb409000-3ccb608000 ---p 00009000 fd:00 1019414                        /usr/lib64/libkrb5support.so.0.1
3ccb608000-3ccb609000 rw-p 00008000 fd:00 1019414                        /usr/lib64/libkrb5support.so.0.1
3ccb800000-3ccb802000 r-xp 00000000 fd:00 950448                         /lib64/libkeyutils-1.2.so
3ccb802000-3ccba01000 ---p 00002000 fd:00 950448                         /lib64/libkeyutils-1.2.so
3ccba01000-3ccba02000 rw-p 00001000 fd:00 950448                         /lib64/libkeyutils-1.2.so
3ccc000000-3ccc15b000 r-xp 00000000 fd:00 1020929                        /usr/lib64/libcrypto.so.0.9.8k
3ccc15b000-3ccc35a000 ---p 0015b000 fd:00 1020929                        /usr/lib64/libcrypto.so.0.9.8k
3ccc35a000-3ccc380000 rw-p 0015a000 fd:00 1020929                        /usr/lib64/libcrypto.so.0.9.8k
3ccc380000-3ccc384000 rw-p 3ccc380000 00:00 0
3cccc00000-3cccc4b000 r-xp 00000000 fd:00 1020933                        /usr/lib64/libssl.so.0.9.8k
3cccc4b000-3ccce4a000 ---p 0004b000 fd:00 1020933                        /usr/lib64/libssl.so.0.9.8k
3ccce4a000-3ccce51000 rw-p 0004a000 fd:00 1020933                        /usr/lib64/libssl.so.0.9.8k
7f273c000000-7f273c021000 rw-p 7f273c000000 00:00 0
7f273c021000-7f2740000000 ---p 7f273c021000 00:00 0
7f2742175000-7f2742176000 ---p 7f2742175000 00:00 0
7f2742176000-7f2742b76000 rw-p 7f2742176000 00:00 0
7f2742b76000-7f2742b77000 ---p 7f2742b76000 00:00 0
7f2742b77000-7f2743577000 rw-p 7f2742b77000 00:00 0
7f2743577000-7f2743583000 r-xp 00000000 fd:00 950402                     /lib64/libnss_files-2.10.1.so
7f2743583000-7f2743782000 ---p 0000c000 fd:00 950402                     /lib64/libnss_files-2.10.1.so
7f2743782000-7f2743783000 r--p 0000b000 fd:00 950402                     /lib64/libnss_files-2.10.1.so
7f2743783000-7f2743784000 rw-p 0000c000 fd:00 950402                     /lib64/libnss_files-2.10.1.so
7f2743784000-7f27437da000 rw-p 7f2743784000 00:00 0
7f27437e9000-7f27437ea000 rw-s 00000000 fd:00 943840                     /var/run/pimpstats
7f27437ea000-7f27437ec000 rw-p 7f27437ea000 00:00 0
7fffa545b000-7fffa5470000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffa5574000-7fffa5575000 r-xp 7fffa5574000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
Comment 18 Chris Adams 2012-07-03 12:47:12 EDT
I just checked the F17 package, and my patch from comment 10 is still required.
Comment 19 Chris Adams 2013-04-11 09:42:14 EDT
This is still a problem, up through F19 and EPEL6 packages.  Is this package still being maintained?
Comment 20 Fedora End Of Life 2013-07-04 02:43:52 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 21 Harald Reindl 2013-07-13 06:09:15 EDT
and *that* is why package guidelines should not be ignored
"Full RELRO" and "PIE" are there to make buffer overflows a little 
less critical and *may* catch some exploits

https://bugzilla.redhat.com/show_bug.cgi?id=972967
Comment 22 Chris Adams 2013-07-23 22:28:15 EDT
Is this package maintained?  This password buffer overflow has gone unfixed for over 4 years.  Either apply the patch I gave in comment 10 or update to upstream's SVN (which has other fixes).
Comment 23 Tim Jackson 2013-07-25 18:25:32 EDT
Commenting only re EPEL5 (which should really be a separate bug), I specifically asked on the upstream mailing list a while ago about this [1] and upstream said [2] "no bug here"
It is also not listed at http://www.imapproxy.org/security.html as a security issue.

As a consequence of the above I did not hasten to add it to EPEL5 (the only branch I maintain) in expectation that there would soon be a new upstream release which would incidentally contain it. However, there has been no new upstream release in a long time.

If the comments in [2] are incorrect a followup on the upstream list would be in order and we should get the fix in Fedora/EPEL, however in any case this should be co-ordinated with the Fedora master branch so that we are consistent and EPEL5 does not end up "ahead" of Fedora master. Rakesh?

[1] http://www.mail-archive.com/squirrelmail-imapproxy@lists.sourceforge.net/msg00073.html

[2] http://www.mail-archive.com/squirrelmail-imapproxy@lists.sourceforge.net/msg00074.html
Comment 24 Harald Reindl 2013-07-25 18:32:01 EDT
that does all not change the fact that the pakage violates *clearly* the guidelines https://bugzilla.redhat.com/show_bug.cgi?id=972967

however, no longer my problem

up-imapproxy-1.2.8-3.fc17.20130724.rh.x86_64

hardening-check /usr/sbin/in.imapproxyd
/usr/sbin/in.imapproxyd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
Comment 25 Chris Adams 2013-07-25 23:38:50 EDT
The bug was fixed in upstream SVN in 2010, but they haven't had a new release since (and no changes in SVN in a year and a half).
Comment 26 Fedora Admin XMLRPC Client 2013-08-07 23:00:11 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 27 Chris Adams 2013-08-07 23:04:25 EDT
Okay, since this was orphaned, and I complained, I've taken the package.  I will be working to update to upstream's SVN (since it is unchanged in a long time, with no signs of a release), fixing this and other problems.
Comment 28 Fedora Update System 2013-09-17 10:58:06 EDT
up-imapproxy-1.2.8-0.1.20130726svn14389.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/up-imapproxy-1.2.8-0.1.20130726svn14389.fc18
Comment 29 Fedora Update System 2013-09-17 11:12:30 EDT
up-imapproxy-1.2.8-0.1.20130726svn14389.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/up-imapproxy-1.2.8-0.1.20130726svn14389.fc19
Comment 30 Fedora Update System 2013-09-17 11:25:28 EDT
up-imapproxy-1.2.8-0.1.20130726svn14389.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/up-imapproxy-1.2.8-0.1.20130726svn14389.fc20
Comment 31 Fedora Update System 2013-09-17 14:16:28 EDT
Package up-imapproxy-1.2.8-0.1.20130726svn14389.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing up-imapproxy-1.2.8-0.1.20130726svn14389.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16968/up-imapproxy-1.2.8-0.1.20130726svn14389.fc20
then log in and leave karma (feedback).
Comment 32 Fedora Update System 2013-09-30 21:59:23 EDT
up-imapproxy-1.2.8-0.1.20130726svn14389.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2013-09-30 22:08:53 EDT
up-imapproxy-1.2.8-0.1.20130726svn14389.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2013-09-30 22:10:14 EDT
up-imapproxy-1.2.8-0.1.20130726svn14389.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.