A buffer overflow flaw was discovered in cyrus sieve caused by an incorrect way used to determine size of a buffer (sizeof() used on pointer to heap-allocated memory). A malicious authenticated user able to edit sieve script could use this flaw to trigger server crash or execute arbitrary code with server privileges (run as user cyrus).
Created attachment 359636 [details] Upstream patch which should be applicable to both 2.2 and 2.3 versions
Upstream commit: http://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html http://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.67&r2=1.68
This is CERT VU#336053.
Public now via Debian DSA 1881: http://lists.debian.org/debian-security-announce/2009/msg00200.html http://packages.debian.org/changelogs/pool/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-15/changelog
cyrus-imapd-2.3.14-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.14-2.fc10
cyrus-imapd-2.3.14-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.14-2.fc11
cyrus-imapd-2.3.14-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.3.14-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
CERT advisory is public now: http://www.kb.cert.org/vuls/id/336053 Upstream anouncement: http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html Fixed in: 2.2.13p1 and 2.3.15
Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was affected by this flaw. Upstream announcement: http://dovecot.org/list/dovecot-news/2009-September/000135.html Upstream recommends using different sieve plugin for dovecot 1.2.x versions. That version is used dovecot packages in Fedora 11 and later. dovecot packages in Red Hat Enterprise Linux 4 and 5 do not include sieve plugin.
dovecot-1.1.18-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #13) > Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was > affected by this flaw. Upstream announcement: > > http://dovecot.org/list/dovecot-news/2009-September/000135.html Additional overflows found by Timo Sirainen were assigned CVE CVE-2009-3235 and are tracked via bug #523910.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1459 https://rhn.redhat.com/errata/RHSA-2009-1459.html