Hi Aeneas, (cc cyrus-devel: these are in relation to the discussion on list with Florian a few weeks ago)
There was two commits related to that pair of CVEs: One of those commits applies to 2.3, so I've now backported it to the 2.3 git branch The other commit changes code that doesn't exist on the 2.3 branch, so I haven't backported it. Cheers, ellie On Wed, Nov 18, 2015, at 07:24 PM, Aeneas Jaißle wrote: > Hi Ellie, > > I have a question about cyrus-imapd and the above mentioned CVE's. I see > it's reported against and fixed in the 2.4, 2.5 and master branches, but > not 2.3. > > > In 2.3.19, we have > /* Sanity check the requested size */ > if (size && (offset + size > msg_size)) > n = msg_size - offset; > else > n = size > > whereas > unsigned long msg_size = 0; > ... > unsigned size, offset = 0, skip = 0; > int n, r = 0; > > , so it looks vulnerable to me (at least CVE-2015-8077). Then again, I > have no knowledge of the code, so maybe you can give me your opinion > (and in case help to provide a patch?) > > > -- > ____ > /@ ~-. Aeneas Jaißle > \/ __ .- | ✉ a...@ajaissle.de > // // @
