Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3481 to the following vulnerability: Name: CVE-2011-3481 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3481 Assigned: 20110914 Reference: http://bugzilla.cyrusimap.org/show_bug.cgi?id=2772 Reference: http://bugzilla.cyrusimap.org/show_bug.cgi?id=3463 Reference: http://git.cyrusimap.org/cyrus-imapd/commit/?id=6e776956a1a9dfa58eacdd0ddd52644009eac9e5 The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message.
Created attachment 524231 [details] fix backported for RHEL5 version of cyrus-imapd > Reproduced on RHEL4 too, fix verified on RHEL6. Upstream patch > will need to be re-worked for cyrus versions in RHEL5 and older. > Michal, can you look? attached
Is it safe to modify headers buffer passed to the index_get_ids? My concern was that upstream patch was only touching copy.
Created attachment 524618 [details] updated patch > Is it safe to modify headers buffer passed to the index_get_ids? My concern > was that upstream patch was only touching copy. As far as I know, it should be safe in 2.3.7, but using a copy is safer especially considering possible future fixes. I've updated patch, so it uses a copy too as can be found in rhel6 version of cyrus-imapd
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1508 https://rhn.redhat.com/errata/RHSA-2011-1508.html