734926 – (CVE-2011-3208) CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()

Bug 734926 (CVE-2011-3208) - CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()

Summary: CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-3208
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	735388 735389 735390 735391 735392 736838 833884 844262
Blocks:	734930
TreeView+	depends on / blocked

Reported:	2011-08-31 21:18 UTC by Vincent Danen
Modified:	2023-05-12 20:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:	cyrus-imapd 2.4.11
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-28 21:32:02 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1317	0	normal	SHIPPED_LIVE	Important: cyrus-imapd security update	2011-09-19 17:53:53 UTC

Description Vincent Danen 2011-08-31 21:18:16 UTC

A remotely exploitable buffer overflow flaw was found in Cyrus' nntpd.  A malicious NNTP client would be able to exploit this to execute arbitrary code on a vulnerable nntpd server.  If the 'allowanonymouslogin' option was set in imapd.conf, it could be done without authentication.

When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5 and 6, as well as Fedora), this flaw is not exploitable and will result in a crash of the nntpd service.

The following patch will correct the flaw:

diff --git a/imap/nntpd.c b/imap/nntpd.c
index 56405d3..6b30174 100644
--- a/imap/nntpd.c
+++ b/imap/nntpd.c
@@ -4131,7 +4131,8 @@ static struct wildmat *split_wildmats(char *str)
        else if (*c == '@') wild[n].not = -1;   /* absolute not (feeding) */
        else wild[n].not = 0;

-       strcpy(p, wild[n].not ? c + 1 : c);
+       strncpy(p, wild[n].not ? c + 1 : c, pattern+sizeof(pattern) - p);
+       pattern[sizeof(pattern)-1] = '\0';
        wild[n++].pat = xstrdup(pattern);
     } while (c != str);
     wild[n].pat = NULL;

Comment 1 Vincent Danen 2011-09-01 17:57:41 UTC

This issue has the name CVE-2011-3208 and will be made public on 8 Sep 2011.

Comment 4 Tomas Hoger 2011-09-02 15:04:45 UTC

(In reply to comment #0)
> When compiled with FORTIFY_SOURCE (the default on Red Hat Enterprise Linux 5
> and 6, as well as Fedora), this flaw is not exploitable and will result in a
> crash of the nntpd service.

This bug is not caught by FORTIFY_SOURCE as upstream indicated, but the overflow may be detected later if compiled with stack protector (SSP).  cyrus-imapd in Red Hat Enterprise Linux 5 and 6 have SSP enabled, which increases exploit difficulty.

The code is executed in the nntpd child process running as user cyrus.  The crash of the process only affects attacker's connection and does not impact nntpd service availability.

Comment 5 Tomas Hoger 2011-09-05 10:34:50 UTC

Acknowledgement:

Red Hat would like to thank Greg Banks for reporting this issue.

Comment 6 Tomas Hoger 2011-09-08 20:02:47 UTC

Fixed upstream versions 2.3.17 and 2.4.11 released:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&msg=199
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-announce&msg=200

Upstream git commit:
http://git.cyrusimap.org/cyrus-imapd/commit/?id=0f8f026699829b65733c3081657b24e2174f4f4d

Comment 7 Tomas Hoger 2011-09-08 20:03:34 UTC

Created cyrus-imapd tracking bugs for this issue

Affects: fedora-all [bug 736838]

Comment 8 errata-xmlrpc 2011-09-19 17:54:03 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1317 https://rhn.redhat.com/errata/RHSA-2011-1317.html

Note You need to log in before you can comment on or make changes to this bug.