Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
Package: cyrus-imapd-2.2 Severity: grave Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for cyrus-imapd-2.2. CVE-2009-3235[0]: | Multiple stack-based buffer overflows in the Sieve plugin in Dovecot | 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, | allow context-dependent attackers to cause a denial of service (crash) | and possibly execute arbitrary code via a crafted SIEVE script, as | demonstrated by forwarding an e-mail message to a large number of | recipients, a different vulnerability than CVE-2009-2632. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235 http://security-tracker.debian.net/tracker/CVE-2009-3235 Patch: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkq5EW4ACgkQNxpp46476arebACgh+bpQP8IA3eIpE7he2+zF1jS wN8An1RVJ0YibCNe7VtIcG3sbje1xsEI =nZP+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
fixed 547947 2.2.13-15 thanks A fix was released before the CVE was even published Giuseppe Iuculano wrote: Package: cyrus-imapd-2.2 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for cyrus-imapd-2.2. CVE-2009-3235[0]: | Multiple stack-based buffer overflows in the Sieve plugin in Dovecot | 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, | allow context-dependent attackers to cause a denial of service (crash) | and possibly execute arbitrary code via a crafted SIEVE script, as | demonstrated by forwarding an e-mail message to a large number of | recipients, a different vulnerability than CVE-2009-2632. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235 http://security-tracker.debian.net/tracker/CVE-2009-3235 Patch: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h ___ Pkg-Cyrus-imapd-Debian-devel mailing list pkg-cyrus-imapd-debian-de...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-imapd-debian-devel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
notfixed 547947 2.2.13-15 thanks Benjamin Seidenberg ha scritto: A fix was released before the CVE was even published Patch: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h This is is a different vulnerability than CVE-2009-2632, there are a few additional buffer overflows not yet covered, see the patches. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
On Tue, 22 Sep 2009, Henrique de Moraes Holschuh wrote: Full patch for cve-2009-3235 for cyrus-imap-2.2. One hunk of bc_eval.c doesn't apply to the older version (no BC_BODY handling). I will commit it to the trunk in a few minutes. SVN trunk ready for release. Unfortunately, I don't have a clean system at hand to do the build and upload (nor am I used to svn-buildpackage, so it would take a while to do it anyway). Can someone else please tag, build and upload? Also, we need the same fix to be applied to stable and old-stable... -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
found 547947 2.2.12-1 fixed 547947 2.2.13-10+etch2 fixed 547947 2.2.13-14+lenny1 thanks On Tue, 22 Sep 2009, Benjamin Seidenberg wrote: fixed 547947 2.2.13-15 thanks A fix was released before the CVE was even published Indeed. I am not sure how old this bug is, it might well go going further back than 2.2.12, but that won't matter to Debian. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
notfixed 547947 2.2.13-10+etch2 notfixed 547947 2.2.13-14+lenny1 tag 547947 + confirmed thanks Well, it looks like we need to go another round of security updates for Cyrus. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
Full patch for cve-2009-3235 for cyrus-imap-2.2. One hunk of bc_eval.c
doesn't apply to the older version (no BC_BODY handling).
I will commit it to the trunk in a few minutes.
--
One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie. -- The Silicon Valley Tarot
Henrique Holschuh
Index: sieve/script.c
===
--- sieve/script.c (revision 842)
+++ sieve/script.c (working copy)
@@ -526,9 +526,9 @@
if ((ret != SIEVE_OK) interp-err) {
char buf[1024];
if (lastaction == -1) /* we never executed an action */
- sprintf(buf, %s, errmsg ? errmsg : sieve_errstr(ret));
+ snprintf(buf, sizeof(buf), %s, errmsg ? errmsg : sieve_errstr(ret));
else
- sprintf(buf, %s: %s, action_to_string(lastaction),
+ snprintf(buf, sizeof(buf), %s: %s, action_to_string(lastaction),
errmsg ? errmsg : sieve_errstr(ret));
ret |= interp-execute_err(buf, interp-interp_context,
Index: sieve/sieve.y
===
--- sieve/sieve.y (revision 842)
+++ sieve/sieve.y (working copy)
@@ -923,7 +923,7 @@
else if (!strcmp(r, ne)) {return NE;}
else if (!strcmp(r, eq)) {return EQ;}
else{
- sprintf(errbuf, flag '%s': not a valid relational operation, r);
+ snprintf(errbuf, sizeof(errbuf), flag '%s': not a valid relational operation, r);
yyerror(errbuf);
return -1;
}
Index: sieve/bc_eval.c
===
--- sieve/bc_eval.c (revision 842)
+++ sieve/bc_eval.c (working copy)
@@ -440,7 +440,7 @@
int comparator=ntohl(bc[i+3].value);
int apart=ntohl(bc[i+4].value);
int count=0;
- char scount[3];
+ char scount[21];
int isReg = (match==B_REGEX);
int ctag = 0;
regex_t *reg;
@@ -608,7 +608,7 @@
int relation=ntohl(bc[i+2].value);
int comparator=ntohl(bc[i+3].value);
int count=0;
- char scount[3];
+ char scount[21];
int isReg = (match==B_REGEX);
int ctag = 0;
regex_t *reg;
Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
Hi Henrique, Henrique de Moraes Holschuh ha scritto: Also, we need the same fix to be applied to stable and old-stable... I've prepared stable and oldstable packages: http://sd6.iuculano.it/sec/cyrus-imapd-2.2/ Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
