Bug 734926 - (CVE-2011-3208) CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()
CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110908,reported=20110831,sou...
: Security
Depends On: 735388 735389 735390 735391 735392 736838 833884 844262
Blocks: 734930
  Show dependency treegraph
 
Reported: 2011-08-31 17:18 EDT by Vincent Danen
Modified: 2015-11-24 09:40 EST (History)
4 users (show)

See Also:
Fixed In Version: cyrus-imapd 2.4.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-28 16:32:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-08-31 17:18:16 EDT
A remotely exploitable buffer overflow flaw was found in Cyrus' nntpd.  A malicious NNTP client would be able to exploit this to execute arbitrary code on a vulnerable nntpd server.  If the 'allowanonymouslogin' option was set in imapd.conf, it could be done without authentication.

When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5 and 6, as well as Fedora), this flaw is not exploitable and will result in a crash of the nntpd service.

The following patch will correct the flaw:

diff --git a/imap/nntpd.c b/imap/nntpd.c
index 56405d3..6b30174 100644
--- a/imap/nntpd.c
+++ b/imap/nntpd.c
@@ -4131,7 +4131,8 @@ static struct wildmat *split_wildmats(char *str)
        else if (*c == '@') wild[n].not = -1;   /* absolute not (feeding) */
        else wild[n].not = 0;

-       strcpy(p, wild[n].not ? c + 1 : c);
+       strncpy(p, wild[n].not ? c + 1 : c, pattern+sizeof(pattern) - p);
+       pattern[sizeof(pattern)-1] = '\0';
        wild[n++].pat = xstrdup(pattern);
     } while (c != str);
     wild[n].pat = NULL;
Comment 1 Vincent Danen 2011-09-01 13:57:41 EDT
This issue has the name CVE-2011-3208 and will be made public on 8 Sep 2011.
Comment 4 Tomas Hoger 2011-09-02 11:04:45 EDT
(In reply to comment #0)
> When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5
> and 6, as well as Fedora), this flaw is not exploitable and will result in a
> crash of the nntpd service.

This bug is not caught by FORTIFY_SOURCE as upstream indicated, but the overflow may be detected later if compiled with stack protector (SSP).  cyrus-imapd in Red Hat Enterprise Linux 5 and 6 have SSP enabled, which increases exploit difficulty.

The code is executed in the nntpd child process running as user cyrus.  The crash of the process only affects attacker's connection and does not impact nntpd service availability.
Comment 5 Tomas Hoger 2011-09-05 06:34:50 EDT
Acknowledgement:

Red Hat would like to thank Greg Banks for reporting this issue.
Comment 7 Tomas Hoger 2011-09-08 16:03:34 EDT
Created cyrus-imapd tracking bugs for this issue

Affects: fedora-all [bug 736838]
Comment 8 errata-xmlrpc 2011-09-19 13:54:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1317 https://rhn.redhat.com/errata/RHSA-2011-1317.html

Note You need to log in before you can comment on or make changes to this bug.