Red Hat Bugzilla – Bug 738391
CVE-2011-3481 cyrus-imapd: NULL pointer dereference via crafted References header in email
Last modified: 2016-03-04 07:46:28 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3481 to
the following vulnerability:
The index_get_ids function in index.c in imapd in Cyrus IMAP Server
before 2.4.11, when server-side threading is enabled, allows remote
attackers to cause a denial of service (NULL pointer dereference and
daemon crash) via a crafted References header in an e-mail message.
Created attachment 524231 [details]
fix backported for RHEL5 version of cyrus-imapd
> Reproduced on RHEL4 too, fix verified on RHEL6. Upstream patch
> will need to be re-worked for cyrus versions in RHEL5 and older.
> Michal, can you look?
Is it safe to modify headers buffer passed to the index_get_ids? My concern was that upstream patch was only touching copy.
Created attachment 524618 [details]
> Is it safe to modify headers buffer passed to the index_get_ids? My concern
> was that upstream patch was only touching copy.
As far as I know, it should be safe in 2.3.7, but using a copy is safer especially considering possible future fixes. I've updated patch, so it uses a copy too as can be found in rhel6 version of cyrus-imapd
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:1508 https://rhn.redhat.com/errata/RHSA-2011-1508.html