Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3235 to the following vulnerability: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632. Note: Sieve implementation used in cyrus-imapd is affected by these issues too. References: http://dovecot.org/list/dovecot-news/2009-September/000135.html http://www.kb.cert.org/vuls/id/336053 (for CVE-2009-2632) Dovecot patches: http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628 http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d Cyrus upstream patches: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h
Dovecot update for Fedora 10 already includes these fixes: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-9559 Dovecot on Fedora 11+ (uses different sieve plugin) and Red Hat Enterprise Linux 4 and 5 (no sieve plugin) are not affected by his flaw. cyrus-imapd packages in Fedora and Red Hat Enterprise Linux will be updated to address this flaws.
Mitigation notes: All these additional overflows are sprintf()s to static char buffers. On Red Hat Enterprise Linux 5 and later (including all current Fedora versoins), these overflows are caught by FORTIFY_SOURCE reducing the impact to controlled abort of one of the cyrus-imapd child processes that are later re-spawned by the master.
cyrus-imapd-2.3.15-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.15-1.fc10?_csrf_token=587baaef7d1faae0b1a721ba81aa239b1b72d48a
cyrus-imapd-2.3.15-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.15-1.fc11?_csrf_token=587baaef7d1faae0b1a721ba81aa239b1b72d48a
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1459 https://rhn.redhat.com/errata/RHSA-2009-1459.html
cyrus-imapd-2.3.15-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.3.15-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.