c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows
remote malicious IMAP servers to cause a denial of service (crash) and
possibly execute arbitrary code via certain large (1) literal and (2)
mailbox size values that cause either integer signedness errors or
integer overflow errors.
All distributions have imap-2001a, except not shipped in 2.1WS
Not yet investigated fix, meant to be part of imap-2002c
According to the link below the 2001a implementation that was shipped in RHL-9
would not have had the security violation unless it had been specifically
defeated. Unfortunately our CVS does not go back long enough to look at all the
spec files but I'd be surprised if we defeated it. Also, in the link below and a
search on the UW web site I was not able to find a reference to the security
issue cited about, where did this come from? Since UW does not reference this
issue I'll need some more details.
Here are the original details:
I believe this to be a different issue to the one in the URL you refer to.
Leaving as security status until otherwise determined.
O.K. thanks. Our current release is imap2002c, I see that imap2002d was recently
released. imap2002c is sufficient but we might as well go to imap2002d. I will
upgrade dist-10 and file and errata for dist-9. BTW, from my reading this is a
very low risk issue from a security standpoint, it seems like the worse that
would happen is someones mailreader would crash, but we might as well fix it anyway.
Opps ... I was wrong, I said we were at 2002c but I had already updated dist-10
and dist-3.0E with 2002d which is the latest, so we're golden there. I think all
I need to do is file an errata against dist-9 to bring it up to 2002d.
Errata RHSA-2003:266-02 for RHL 9 was generated.
leaving in modified state until the errata is published at which point this bug
will be automatically closed.
This issue affects imap-2001a in RHEL2.1. Patch to follow.
Created attachment 107826 [details]
Patch (offsets may be wrong)
What are the odds of getting this fixed in the near future?
In all honesty this to some degree is your call. I've been asked to focus on new
product development and put package maintence on the back burner. I also just
finished begging permission to finish some dovecot updates, our UW imap
replacement. Of course security concerns trump all. This particular issue has
lingered in 2.1 for quite a while now. If you feel this needs immediate
attention at this juncture you need only say so and I'll go to my manager.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.