A remotely exploitable buffer overflow flaw was found in Cyrus' nntpd. A malicious NNTP client would be able to exploit this to execute arbitrary code on a vulnerable nntpd server. If the 'allowanonymouslogin' option was set in imapd.conf, it could be done without authentication.
When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5 and 6, as well as Fedora), this flaw is not exploitable and will result in a crash of the nntpd service.
The following patch will correct the flaw:
diff --git a/imap/nntpd.c b/imap/nntpd.c
index 56405d3..6b30174 100644
@@ -4131,7 +4131,8 @@ static struct wildmat *split_wildmats(char *str)
else if (*c == '@') wild[n].not = -1; /* absolute not (feeding) */
else wild[n].not = 0;
- strcpy(p, wild[n].not ? c + 1 : c);
+ strncpy(p, wild[n].not ? c + 1 : c, pattern+sizeof(pattern) - p);
+ pattern[sizeof(pattern)-1] = '\0';
wild[n++].pat = xstrdup(pattern);
} while (c != str);
wild[n].pat = NULL;
This issue has the name CVE-2011-3208 and will be made public on 8 Sep 2011.
(In reply to comment #0)
> When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5
> and 6, as well as Fedora), this flaw is not exploitable and will result in a
> crash of the nntpd service.
This bug is not caught by FORTIFY_SOURCE as upstream indicated, but the overflow may be detected later if compiled with stack protector (SSP). cyrus-imapd in Red Hat Enterprise Linux 5 and 6 have SSP enabled, which increases exploit difficulty.
The code is executed in the nntpd child process running as user cyrus. The crash of the process only affects attacker's connection and does not impact nntpd service availability.
Red Hat would like to thank Greg Banks for reporting this issue.
Fixed upstream versions 2.3.17 and 2.4.11 released:
Upstream git commit:
Created cyrus-imapd tracking bugs for this issue
Affects: fedora-all [bug 736838]
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:1317 https://rhn.redhat.com/errata/RHSA-2011-1317.html