Bug 97344 - CAN-2003-0297 c-client imap issue
CAN-2003-0297 c-client imap issue
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: imap (Show other bugs)
2.1
All Linux
medium Severity low
: ---
: ---
Assigned To: John Dennis
David Lawrence
http://marc.theaimsgroup.com/?l=bugtr...
Other, impact=low,public=20030514
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-06-13 09:06 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-18 10:16:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch (offsets may be wrong) (808 bytes, patch)
2004-12-03 07:27 EST, Mark J. Cox (Product Security)
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2003-06-13 09:06:41 EDT
c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows
remote malicious IMAP servers to cause a denial of service (crash) and
possibly execute arbitrary code via certain large (1) literal and (2)
mailbox size values that cause either integer signedness errors or
integer overflow errors.

All distributions have imap-2001a, except not shipped in 2.1WS

Not yet investigated fix, meant to be part of imap-2002c
Comment 1 John Dennis 2003-08-18 16:15:32 EDT
According to the link below the 2001a implementation that was shipped in RHL-9
would not have had the security violation unless it had been specifically
defeated. Unfortunately our CVS does not go back long enough to look at all the
spec files but I'd be surprised if we defeated it. Also, in the link below and a
search on the UW web site I was not able to find a reference to the security
issue cited about, where did this come from? Since UW does not reference this
issue I'll need some more details.

http://www.washington.edu/imap/buffer.html
Comment 2 Mark J. Cox (Product Security) 2003-08-18 16:28:32 EDT
Here are the original details:
http://marc.theaimsgroup.com/?l=bugtraq&m=105294024124163&w=2

I believe this to be a different issue to the one in the URL you refer to. 
Leaving as security status until otherwise determined.
Comment 3 John Dennis 2003-08-19 09:47:45 EDT
O.K. thanks. Our current release is imap2002c, I see that imap2002d was recently
released. imap2002c is sufficient but we might as well go to imap2002d. I will
upgrade dist-10 and file and errata for dist-9. BTW, from my reading this is a
very low risk issue from a security standpoint, it seems like the worse that
would happen is someones mailreader would crash, but we might as well fix it anyway.
Comment 4 John Dennis 2003-08-19 11:13:57 EDT
Opps ... I was wrong, I said we were at 2002c but I had already updated dist-10
and dist-3.0E with 2002d which is the latest, so we're golden there. I think all
I need to do is file an errata against dist-9 to bring it up to 2002d.
Comment 5 John Dennis 2003-08-22 14:09:28 EDT
Errata RHSA-2003:266-02 for RHL 9 was generated.
Comment 6 Mark J. Cox (Product Security) 2003-08-25 03:27:25 EDT
leaving in modified state until the errata is published at which point this bug
will be automatically closed.
Comment 7 Mark J. Cox (Product Security) 2004-12-03 07:26:04 EST
This issue affects imap-2001a in RHEL2.1.  Patch to follow.
Comment 8 Mark J. Cox (Product Security) 2004-12-03 07:27:02 EST
Created attachment 107826 [details]
Patch (offsets may be wrong)
Comment 9 Josh Bressers 2005-01-13 15:31:17 EST
John,

What are the odds of getting this fixed in the near future?
Comment 10 John Dennis 2005-01-13 15:56:45 EST
In all honesty this to some degree is your call. I've been asked to focus on new
product development and put package maintence on the back burner. I also just
finished begging permission to finish some dovecot updates, our UW imap
replacement. Of course security concerns trump all. This particular issue has
lingered in 2.1 for quite a while now. If you feel this needs immediate
attention at this juncture you need only say so and I'll go to my manager.
Comment 11 Josh Bressers 2005-02-18 10:16:22 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-114.html

Note You need to log in before you can comment on or make changes to this bug.