Bug 469667 (CVE-2008-5005) - CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail
Summary: CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail
Alias: CVE-2008-5005
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 469415 469522 469523 483255
TreeView+ depends on / blocked
Reported: 2008-11-03 12:11 UTC by Tomas Hoger
Modified: 2019-09-29 12:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-02-19 18:44:01 UTC

Attachments (Terms of Use)
dmail 2007b -> 2007d diff (1.14 KB, patch)
2008-11-03 12:16 UTC, Tomas Hoger
no flags Details | Diff
tmail 2007b -> 2007d diff (1.18 KB, patch)
2008-11-03 12:17 UTC, Tomas Hoger
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0275 0 normal SHIPPED_LIVE Moderate: imap security update 2009-02-19 17:51:14 UTC

Description Tomas Hoger 2008-11-03 12:11:43 UTC
UW-IMAP upstream developers released new upstream version - 2007d - that fixes security issue in dmail and tmail utilities.  Upstream announcement fails to detail those issue further.


Comment 1 Tomas Hoger 2008-11-03 12:15:17 UTC
uw-imap as shipped with Fedora and EPEL was rebased to upstream version 2007d, updates should appear in stable repositories on the next push runs.

uw-imap is also shipped in Red Hat Enterprise Linux 2.1 and 3 (imap package).  Only Red Hat Enterprise Linux 3 offers imap-utils subpackage with tmail and dmail utilities.

Comment 2 Tomas Hoger 2008-11-03 12:16:46 UTC
Created attachment 322296 [details]
dmail 2007b -> 2007d diff

Fixes unbound strcpy to stack-based buffer.

Comment 3 Tomas Hoger 2008-11-03 12:17:50 UTC
Created attachment 322297 [details]
tmail 2007b -> 2007d diff

Similar change to dmail change.

Comment 4 Tomas Hoger 2008-11-03 13:41:00 UTC
Further details from Pawel Salek:

It's a classical stack overflow that can be triggered by passing
+VERYLONGSTRING as the argument to [dt]mail. The program attempts to copy the
string to a temporary buffer without checking its length. This is only root
exploit if the program is suid root. It is a remote exploit if the smtp
delivery program passes the argument to tmail longer than 1024 characters (eg
via $u variable in 
define(`LOCAL_MAILER_ARGS', `tmail $u')dnl

Comment 5 Tomas Hoger 2008-11-03 13:48:54 UTC
RFC 5321 defines that maximum length of the local part of the email address is 64 characters [1], but longer local parts seem to be accepted by MTAs.
  [1] http://tools.ietf.org/html/rfc5321#section-

Sendmail restricts total length of the recipient email address to 255 characters, while buffer being overflow in [dt]mail has capacity for 1024 characters.  That seems to be the restriction mentioned in the upstream announcement that is preventing remote exploitation of the flaw.

However, Postfix is bit more permissive in this regard and it may be possible to trigger this issue if Postfix is configured to use [dt]mail as mailbox_command along with recipient_delimiter being set to +.

Comment 7 Tomas Hoger 2008-11-03 15:42:08 UTC
Bitsec security advisory for this issue:

PoC is expected to be published on 2008-11-10 at:

Comment 8 Fedora Update System 2008-11-06 04:08:19 UTC
uw-imap-2007d-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-11-06 04:09:57 UTC
uw-imap-2007d-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2008-11-10 14:06:03 UTC
CVE id CVE-2008-5005 was assigned to this issue:

Multiple stack-based buffer overflows in (1) University of Washington
IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine
2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain
privileges by specifying a long folder extension argument on the
command line to the tmail or dmail program; and (b) remote attackers
to execute arbitrary code by sending e-mail to a destination mailbox
name composed of a username and '+' character followed by a long
string, processed by the tmail or possibly dmail program.

Comment 12 Tomas Hoger 2009-01-30 15:03:09 UTC
tmail and dmail utilities available imap packages as shipped with Red Hat Enterprise Linux 3 are not installed setuid root, so the local privilege escalation is not possible.  This flaw can only be an issue if one of the utilities were used as delivery agents in certain mail setups, as documented in comment #5.  Such setup is default or commonly used one.

Comment 14 Red Hat Product Security 2009-02-19 18:44:01 UTC
This issue was addressed in:

Red Hat Enterprise Linux:

  updated to fixed upstream version uw-imap-2007d

Note You need to log in before you can comment on or make changes to this bug.