Bug 97344 - CAN-2003-0297 c-client imap issue
Summary: CAN-2003-0297 c-client imap issue
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: imap (Show other bugs)
(Show other bugs)
Version: 2.1
Hardware: All Linux
Target Milestone: ---
Assignee: John Dennis
QA Contact: David Lawrence
URL: http://marc.theaimsgroup.com/?l=bugtr...
Whiteboard: Other, impact=low,public=20030514
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-06-13 13:06 UTC by Mark J. Cox
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-18 15:16:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch (offsets may be wrong) (808 bytes, patch)
2004-12-03 12:27 UTC, Mark J. Cox
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:114 low SHIPPED_LIVE Low: imap security update 2005-02-18 05:00:00 UTC

Description Mark J. Cox 2003-06-13 13:06:41 UTC
c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows
remote malicious IMAP servers to cause a denial of service (crash) and
possibly execute arbitrary code via certain large (1) literal and (2)
mailbox size values that cause either integer signedness errors or
integer overflow errors.

All distributions have imap-2001a, except not shipped in 2.1WS

Not yet investigated fix, meant to be part of imap-2002c

Comment 1 John Dennis 2003-08-18 20:15:32 UTC
According to the link below the 2001a implementation that was shipped in RHL-9
would not have had the security violation unless it had been specifically
defeated. Unfortunately our CVS does not go back long enough to look at all the
spec files but I'd be surprised if we defeated it. Also, in the link below and a
search on the UW web site I was not able to find a reference to the security
issue cited about, where did this come from? Since UW does not reference this
issue I'll need some more details.


Comment 2 Mark J. Cox 2003-08-18 20:28:32 UTC
Here are the original details:

I believe this to be a different issue to the one in the URL you refer to. 
Leaving as security status until otherwise determined.

Comment 3 John Dennis 2003-08-19 13:47:45 UTC
O.K. thanks. Our current release is imap2002c, I see that imap2002d was recently
released. imap2002c is sufficient but we might as well go to imap2002d. I will
upgrade dist-10 and file and errata for dist-9. BTW, from my reading this is a
very low risk issue from a security standpoint, it seems like the worse that
would happen is someones mailreader would crash, but we might as well fix it anyway.

Comment 4 John Dennis 2003-08-19 15:13:57 UTC
Opps ... I was wrong, I said we were at 2002c but I had already updated dist-10
and dist-3.0E with 2002d which is the latest, so we're golden there. I think all
I need to do is file an errata against dist-9 to bring it up to 2002d.

Comment 5 John Dennis 2003-08-22 18:09:28 UTC
Errata RHSA-2003:266-02 for RHL 9 was generated.

Comment 6 Mark J. Cox 2003-08-25 07:27:25 UTC
leaving in modified state until the errata is published at which point this bug
will be automatically closed.

Comment 7 Mark J. Cox 2004-12-03 12:26:04 UTC
This issue affects imap-2001a in RHEL2.1.  Patch to follow.

Comment 8 Mark J. Cox 2004-12-03 12:27:02 UTC
Created attachment 107826 [details]
Patch (offsets may be wrong)

Comment 9 Josh Bressers 2005-01-13 20:31:17 UTC

What are the odds of getting this fixed in the near future?

Comment 10 John Dennis 2005-01-13 20:56:45 UTC
In all honesty this to some degree is your call. I've been asked to focus on new
product development and put package maintence on the back burner. I also just
finished begging permission to finish some dovecot updates, our UW imap
replacement. Of course security concerns trump all. This particular issue has
lingered in 2.1 for quite a while now. If you feel this needs immediate
attention at this juncture you need only say so and I'll go to my manager.

Comment 11 Josh Bressers 2005-02-18 15:16:22 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.