Bug 734926 (CVE-2011-3208) - CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()
Summary: CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-3208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 735388 735389 735390 735391 735392 736838 833884 844262
Blocks: 734930
TreeView+ depends on / blocked
 
Reported: 2011-08-31 21:18 UTC by Vincent Danen
Modified: 2023-05-12 20:07 UTC (History)
4 users (show)

Fixed In Version: cyrus-imapd 2.4.11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-28 21:32:02 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1317 0 normal SHIPPED_LIVE Important: cyrus-imapd security update 2011-09-19 17:53:53 UTC

Description Vincent Danen 2011-08-31 21:18:16 UTC
A remotely exploitable buffer overflow flaw was found in Cyrus' nntpd.  A malicious NNTP client would be able to exploit this to execute arbitrary code on a vulnerable nntpd server.  If the 'allowanonymouslogin' option was set in imapd.conf, it could be done without authentication.

When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5 and 6, as well as Fedora), this flaw is not exploitable and will result in a crash of the nntpd service.

The following patch will correct the flaw:

diff --git a/imap/nntpd.c b/imap/nntpd.c
index 56405d3..6b30174 100644
--- a/imap/nntpd.c
+++ b/imap/nntpd.c
@@ -4131,7 +4131,8 @@ static struct wildmat *split_wildmats(char *str)
        else if (*c == '@') wild[n].not = -1;   /* absolute not (feeding) */
        else wild[n].not = 0;

-       strcpy(p, wild[n].not ? c + 1 : c);
+       strncpy(p, wild[n].not ? c + 1 : c, pattern+sizeof(pattern) - p);
+       pattern[sizeof(pattern)-1] = '\0';
        wild[n++].pat = xstrdup(pattern);
     } while (c != str);
     wild[n].pat = NULL;

Comment 1 Vincent Danen 2011-09-01 17:57:41 UTC
This issue has the name CVE-2011-3208 and will be made public on 8 Sep 2011.

Comment 4 Tomas Hoger 2011-09-02 15:04:45 UTC
(In reply to comment #0)
> When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5
> and 6, as well as Fedora), this flaw is not exploitable and will result in a
> crash of the nntpd service.

This bug is not caught by FORTIFY_SOURCE as upstream indicated, but the overflow may be detected later if compiled with stack protector (SSP).  cyrus-imapd in Red Hat Enterprise Linux 5 and 6 have SSP enabled, which increases exploit difficulty.

The code is executed in the nntpd child process running as user cyrus.  The crash of the process only affects attacker's connection and does not impact nntpd service availability.

Comment 5 Tomas Hoger 2011-09-05 10:34:50 UTC
Acknowledgement:

Red Hat would like to thank Greg Banks for reporting this issue.

Comment 7 Tomas Hoger 2011-09-08 20:03:34 UTC
Created cyrus-imapd tracking bugs for this issue

Affects: fedora-all [bug 736838]

Comment 8 errata-xmlrpc 2011-09-19 17:54:03 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1317 https://rhn.redhat.com/errata/RHSA-2011-1317.html


Note You need to log in before you can comment on or make changes to this bug.