A buffer overflow flaw was discovered in cyrus sieve caused by an incorrect way used to determine size of a buffer (sizeof() used on pointer to heap-allocated memory). A malicious authenticated user able to edit sieve script could use this flaw to trigger server crash or execute arbitrary code with server privileges (run as user cyrus).
Created attachment 359636 [details]
Upstream patch which should be applicable to both 2.2 and 2.3 versions
This is CERT VU#336053.
Public now via Debian DSA 1881:
cyrus-imapd-2.3.14-2.fc10 has been submitted as an update for Fedora 10.
cyrus-imapd-2.3.14-2.fc11 has been submitted as an update for Fedora 11.
cyrus-imapd-2.3.14-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.3.14-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
CERT advisory is public now:
Fixed in: 2.2.13p1 and 2.3.15
Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was affected by this flaw. Upstream announcement:
Upstream recommends using different sieve plugin for dovecot 1.2.x versions. That version is used dovecot packages in Fedora 11 and later.
dovecot packages in Red Hat Enterprise Linux 4 and 5 do not include sieve plugin.
dovecot-1.1.18-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #13)
> Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was
> affected by this flaw. Upstream announcement:
Additional overflows found by Timo Sirainen were assigned CVE CVE-2009-3235 and are tracked via bug #523910.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 4
Via RHSA-2009:1459 https://rhn.redhat.com/errata/RHSA-2009-1459.html