Bug 521010 – CVE-2009-2632 cyrus-imapd: buffer overflow in cyrus sieve

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 521010 - (CVE-2009-2632) CVE-2009-2632 cyrus-imapd: buffer overflow in cyrus sieve

Summary:	CVE-2009-2632 cyrus-imapd: buffer overflow in cyrus sieve

Status:	CLOSED ERRATA

Aliases:	CVE-2009-2632

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,source=secalert,repo...
Keywords:	Security

Depends On:	521011 521056 521057 521058
Blocks:
	Show dependency tree / graph

Reported:	2009-09-03 03:50 EDT by Tomas Hoger
Modified:	2009-09-23 11:40 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-09-23 11:40:48 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Upstream patch which should be applicable to both 2.2 and 2.3 versions (2.56 KB, patch) 2009-09-03 03:54 EDT, Tomas Hoger	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1459	normal	SHIPPED_LIVE	Important: cyrus-imapd security update	2009-09-23 10:55:29 EDT

Groups: None (edit)

Description Tomas Hoger 2009-09-03 03:50:01 EDT

A buffer overflow flaw was discovered in cyrus sieve caused by an incorrect way used to determine size of a buffer (sizeof() used on pointer to heap-allocated memory).  A malicious authenticated user able to edit sieve script could use this flaw to trigger server crash or execute arbitrary code with server privileges (run as user cyrus).

Comment 2 Tomas Hoger 2009-09-03 03:54:15 EDT

Created attachment 359636 [details]
Upstream patch which should be applicable to both 2.2 and 2.3 versions

Comment 5 Tomas Hoger 2009-09-03 09:06:11 EDT

Upstream commit:
http://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
http://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.67&r2=1.68

Comment 6 Vincent Danen 2009-09-04 19:00:59 EDT

This is CERT VU#336053.

Comment 7 Tomas Hoger 2009-09-07 09:47:44 EDT

Public now via Debian DSA 1881:

http://lists.debian.org/debian-security-announce/2009/msg00200.html
http://packages.debian.org/changelogs/pool/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-15/changelog

Comment 8 Fedora Update System 2009-09-07 11:02:47 EDT

cyrus-imapd-2.3.14-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.14-2.fc10

Comment 9 Fedora Update System 2009-09-07 11:02:52 EDT

cyrus-imapd-2.3.14-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.14-2.fc11

Comment 10 Fedora Update System 2009-09-08 21:53:03 EDT

cyrus-imapd-2.3.14-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-09-08 21:54:46 EDT

cyrus-imapd-2.3.14-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Tomas Hoger 2009-09-09 15:07:52 EDT

CERT advisory is public now:
http://www.kb.cert.org/vuls/id/336053

Upstream anouncement:
http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html

Fixed in: 2.2.13p1 and 2.3.15

Comment 13 Tomas Hoger 2009-09-14 05:53:52 EDT

Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was affected by this flaw.  Upstream announcement:

http://dovecot.org/list/dovecot-news/2009-September/000135.html

Upstream recommends using different sieve plugin for dovecot 1.2.x versions.  That version is used dovecot packages in Fedora 11 and later.

dovecot packages in Red Hat Enterprise Linux 4 and 5 do not include sieve plugin.

Comment 15 Fedora Update System 2009-09-15 03:41:52 EDT

dovecot-1.1.18-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Tomas Hoger 2009-09-17 03:30:05 EDT

(In reply to comment #13)
> Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was
> affected by this flaw.  Upstream announcement:
> 
> http://dovecot.org/list/dovecot-news/2009-September/000135.html

Additional overflows found by Timo Sirainen were assigned CVE CVE-2009-3235 and are tracked via bug #523910.

Comment 18 errata-xmlrpc 2009-09-23 10:55:39 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1459 https://rhn.redhat.com/errata/RHSA-2009-1459.html

Note You need to log in before you can comment on or make changes to this bug.