Bug 521010 (CVE-2009-2632) - CVE-2009-2632 cyrus-imapd: buffer overflow in cyrus sieve
Summary: CVE-2009-2632 cyrus-imapd: buffer overflow in cyrus sieve
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2632
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 521011 521056 521057 521058
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-03 07:50 UTC by Tomas Hoger
Modified: 2019-09-29 12:31 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-23 15:40:48 UTC
Embargoed:


Attachments (Terms of Use)
Upstream patch which should be applicable to both 2.2 and 2.3 versions (2.56 KB, patch)
2009-09-03 07:54 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1459 0 normal SHIPPED_LIVE Important: cyrus-imapd security update 2009-09-23 14:55:29 UTC

Description Tomas Hoger 2009-09-03 07:50:01 UTC
A buffer overflow flaw was discovered in cyrus sieve caused by an incorrect way used to determine size of a buffer (sizeof() used on pointer to heap-allocated memory).  A malicious authenticated user able to edit sieve script could use this flaw to trigger server crash or execute arbitrary code with server privileges (run as user cyrus).

Comment 2 Tomas Hoger 2009-09-03 07:54:15 UTC
Created attachment 359636 [details]
Upstream patch which should be applicable to both 2.2 and 2.3 versions

Comment 6 Vincent Danen 2009-09-04 23:00:59 UTC
This is CERT VU#336053.

Comment 8 Fedora Update System 2009-09-07 15:02:47 UTC
cyrus-imapd-2.3.14-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.14-2.fc10

Comment 9 Fedora Update System 2009-09-07 15:02:52 UTC
cyrus-imapd-2.3.14-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.14-2.fc11

Comment 10 Fedora Update System 2009-09-09 01:53:03 UTC
cyrus-imapd-2.3.14-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-09-09 01:54:46 UTC
cyrus-imapd-2.3.14-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Tomas Hoger 2009-09-09 19:07:52 UTC
CERT advisory is public now:
http://www.kb.cert.org/vuls/id/336053

Upstream anouncement:
http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html

Fixed in: 2.2.13p1 and 2.3.15

Comment 13 Tomas Hoger 2009-09-14 09:53:52 UTC
Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was affected by this flaw.  Upstream announcement:

http://dovecot.org/list/dovecot-news/2009-September/000135.html

Upstream recommends using different sieve plugin for dovecot 1.2.x versions.  That version is used dovecot packages in Fedora 11 and later.

dovecot packages in Red Hat Enterprise Linux 4 and 5 do not include sieve plugin.

Comment 15 Fedora Update System 2009-09-15 07:41:52 UTC
dovecot-1.1.18-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Tomas Hoger 2009-09-17 07:30:05 UTC
(In reply to comment #13)
> Dovecot's CMU sieve plugin is derived from the code used in cyrus-imapd and was
> affected by this flaw.  Upstream announcement:
> 
> http://dovecot.org/list/dovecot-news/2009-September/000135.html

Additional overflows found by Timo Sirainen were assigned CVE CVE-2009-3235 and are tracked via bug #523910.

Comment 18 errata-xmlrpc 2009-09-23 14:55:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1459 https://rhn.redhat.com/errata/RHSA-2009-1459.html


Note You need to log in before you can comment on or make changes to this bug.