Bug 469667 - (CVE-2008-5005) CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail
CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 469415 469522 469523 483255
  Show dependency treegraph
Reported: 2008-11-03 07:11 EST by Tomas Hoger
Modified: 2009-02-19 13:44 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-19 13:44:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
dmail 2007b -> 2007d diff (1.14 KB, patch)
2008-11-03 07:16 EST, Tomas Hoger
no flags Details | Diff
tmail 2007b -> 2007d diff (1.18 KB, patch)
2008-11-03 07:17 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-11-03 07:11:43 EST
UW-IMAP upstream developers released new upstream version - 2007d - that fixes security issue in dmail and tmail utilities.  Upstream announcement fails to detail those issue further.

Comment 1 Tomas Hoger 2008-11-03 07:15:17 EST
uw-imap as shipped with Fedora and EPEL was rebased to upstream version 2007d, updates should appear in stable repositories on the next push runs.

uw-imap is also shipped in Red Hat Enterprise Linux 2.1 and 3 (imap package).  Only Red Hat Enterprise Linux 3 offers imap-utils subpackage with tmail and dmail utilities.
Comment 2 Tomas Hoger 2008-11-03 07:16:46 EST
Created attachment 322296 [details]
dmail 2007b -> 2007d diff

Fixes unbound strcpy to stack-based buffer.
Comment 3 Tomas Hoger 2008-11-03 07:17:50 EST
Created attachment 322297 [details]
tmail 2007b -> 2007d diff

Similar change to dmail change.
Comment 4 Tomas Hoger 2008-11-03 08:41:00 EST
Further details from Pawel Salek:

It's a classical stack overflow that can be triggered by passing
+VERYLONGSTRING as the argument to [dt]mail. The program attempts to copy the
string to a temporary buffer without checking its length. This is only root
exploit if the program is suid root. It is a remote exploit if the smtp
delivery program passes the argument to tmail longer than 1024 characters (eg
via $u variable in 
define(`LOCAL_MAILER_ARGS', `tmail $u')dnl
Comment 5 Tomas Hoger 2008-11-03 08:48:54 EST
RFC 5321 defines that maximum length of the local part of the email address is 64 characters [1], but longer local parts seem to be accepted by MTAs.
  [1] http://tools.ietf.org/html/rfc5321#section-

Sendmail restricts total length of the recipient email address to 255 characters, while buffer being overflow in [dt]mail has capacity for 1024 characters.  That seems to be the restriction mentioned in the upstream announcement that is preventing remote exploitation of the flaw.

However, Postfix is bit more permissive in this regard and it may be possible to trigger this issue if Postfix is configured to use [dt]mail as mailbox_command along with recipient_delimiter being set to +.
Comment 7 Tomas Hoger 2008-11-03 10:42:08 EST
Bitsec security advisory for this issue:

PoC is expected to be published on 2008-11-10 at:
Comment 8 Fedora Update System 2008-11-05 23:08:19 EST
uw-imap-2007d-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-11-05 23:09:57 EST
uw-imap-2007d-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-11-10 09:06:03 EST
CVE id CVE-2008-5005 was assigned to this issue:

Multiple stack-based buffer overflows in (1) University of Washington
IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine
2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain
privileges by specifying a long folder extension argument on the
command line to the tmail or dmail program; and (b) remote attackers
to execute arbitrary code by sending e-mail to a destination mailbox
name composed of a username and '+' character followed by a long
string, processed by the tmail or possibly dmail program.
Comment 12 Tomas Hoger 2009-01-30 10:03:09 EST
tmail and dmail utilities available imap packages as shipped with Red Hat Enterprise Linux 3 are not installed setuid root, so the local privilege escalation is not possible.  This flaw can only be an issue if one of the utilities were used as delivery agents in certain mail setups, as documented in comment #5.  Such setup is default or commonly used one.
Comment 14 Red Hat Product Security 2009-02-19 13:44:01 EST
This issue was addressed in:

Red Hat Enterprise Linux:

  updated to fixed upstream version uw-imap-2007d

Note You need to log in before you can comment on or make changes to this bug.