Bug 523910 - (CVE-2009-3235) CVE-2009-3235 cyrus-impad: CMU sieve buffer overflows
CVE-2009-3235 cyrus-impad: CMU sieve buffer overflows
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=important,source=internet,repo...
: Security
Depends On: 521011 521056 521057 521058
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-17 03:24 EDT by Tomas Hoger
Modified: 2014-11-11 11:00 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-23 11:41:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-09-17 03:24:52 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3235 to the following vulnerability:

Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve,
allow context-dependent attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted SIEVE script, as
demonstrated by forwarding an e-mail message to a large number of
recipients, a different vulnerability than CVE-2009-2632.

Note: Sieve implementation used in cyrus-imapd is affected by these issues too.

References:
http://dovecot.org/list/dovecot-news/2009-September/000135.html
http://www.kb.cert.org/vuls/id/336053 (for CVE-2009-2632)

Dovecot patches:
http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628
http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d

Cyrus upstream patches:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h
Comment 1 Tomas Hoger 2009-09-17 03:32:03 EDT
Dovecot update for Fedora 10 already includes these fixes:

https://admin.fedoraproject.org/updates/F10/FEDORA-2009-9559

Dovecot on Fedora 11+ (uses different sieve plugin) and Red Hat Enterprise Linux 4 and 5 (no sieve plugin) are not affected by his flaw.

cyrus-imapd packages in Fedora and Red Hat Enterprise Linux will be updated to address this flaws.
Comment 3 Tomas Hoger 2009-09-17 03:52:14 EDT
Mitigation notes:

All these additional overflows are sprintf()s to static char buffers.  On Red Hat Enterprise Linux 5 and later (including all current Fedora versoins), these overflows are caught by FORTIFY_SOURCE reducing the impact to controlled abort of one of the cyrus-imapd child processes that are later re-spawned by the master.
Comment 4 Fedora Update System 2009-09-18 10:40:56 EDT
cyrus-imapd-2.3.15-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.15-1.fc10?_csrf_token=587baaef7d1faae0b1a721ba81aa239b1b72d48a
Comment 5 Fedora Update System 2009-09-18 10:41:03 EDT
cyrus-imapd-2.3.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.15-1.fc11?_csrf_token=587baaef7d1faae0b1a721ba81aa239b1b72d48a
Comment 7 errata-xmlrpc 2009-09-23 10:55:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1459 https://rhn.redhat.com/errata/RHSA-2009-1459.html
Comment 11 Fedora Update System 2009-09-24 01:17:22 EDT
cyrus-imapd-2.3.15-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-09-24 01:22:56 EDT
cyrus-imapd-2.3.15-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.