SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMAP Toolkit (uw-imap) Vendors:   University of Washington
(Caldera Issues Fix for OpenLinux) University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System
SecurityTracker Alert ID:  1004297
SecurityTracker URL:  http://securitytracker.com/id/1004297
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 15 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000.283, 2000.284, and 2000.287 default install; 2001.315 compiled with RFC 1730 support
Description:   A buffer overflow vulnerability was reported in the University of Washington's IMAP mail server software. An authenticated remote user may be able to execute arbitrary code on the IMAP server.

It is reported that an authenticated remote user can send a malformed request to the IMAP server to trigger a buffer overflow. Arbitrary code can be executed with the privileges of the e-mail user account.

According to the report, the vulnerability is in the imapd.c code and is due to the lack of bounds checking on the user-supplied data. The bug may be exploited when the authenticated remote user requests partial mailbox attributes. This can cause user-supplied data to overwrite the server's main stack. The overflow may occur when the user logs out.

Some additional details, including a snapshot of the affected code, are available at the author's web site:

http://mantra.freeweb.hu

Impact:   An authenticated remote user can cause arbitrary code to be executed on the IMAP server with the user and group privileges of the remote user's e-mail account.
Solution:   The vendor has released a fix.

For OpenLinux 3.1.1 Server:

Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

Packages:

3d4c39ed407a122f963f9f508f908c92 imap-2000-14.i386.rpm
5c49edd5001471188ed6da5a20413f42 imap-devel-2000-14.i386.rpm

To install:

rpm -Fvh imap-2000-14.i386.rpm
rpm -Fvh imap-devel-2000-14.i386.rpm

Source Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

Source Packages:

7aca0b5e4236dac8b9bbce8879d84bd8 imap-2000-14.src.rpm


For OpenLinux 3.1.1 Workstation:

Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

Packages:

d38decbc4fd541389f150a801dbd6024 imap-2000-14.i386.rpm
4833a72e3afde52d6f88fefdf2ac6fb4 imap-devel-2000-14.i386.rpm

To install:

rpm -Fvh imap-2000-14.i386.rpm
rpm -Fvh imap-devel-2000-14.i386.rpm

Source Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

Source Packages:

0dc9c6f44c0a233ff31efc296159a812 imap-2000-14.src.rpm


For OpenLinux 3.1 Server:

Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

Packages:

cbe5748e7adea78a897b2b530a4f6885 imap-2000-14.i386.rpm
763992a12de3ac0bdf53ea03c92b0c79 imap-devel-2000-14.i386.rpm

To install:

rpm -Fvh imap-2000-14.i386.rpm
rpm -Fvh imap-devel-2000-14.i386.rpm

Source Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

Source Packages:

decd197cfdce836c921560097573e9b3 imap-2000-14.src.rpm


For OpenLinux 3.1 Workstation:

Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

Packages:

863d0908cf6a00488bd705bfe16e4d4c imap-2000-14.i386.rpm
a2db300f0a06d9be119c39a40fb4f368 imap-devel-2000-14.i386.rpm

To install:

rpm -Fvh imap-2000-14.i386.rpm
rpm -Fvh imap-devel-2000-14.i386.rpm

Source Package Location:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

Source Packages:

2ea45d3516faaaae52a2f8053deaf30c imap-2000-14.src.rpm

Vendor URL:  www.washington.edu/imap/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux Server and Workstation; 3.1, 3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
May 10 2002 University of Washington IMAP Toolkit ('uw-imap') Has Buffer Overflow That May Let Remote Users Execute Arbitrary Code with User-Level Privileges on the System



 Source Message Contents

Subject:  Security Update: [CSSA-2002-021.0] Linux: imapd buffer overflow when fetching partial mailbox attributes


--p4qYPpj5QlsIQJ0K
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: imapd buffer overflow when fetching partial mailbox attributes
Advisory number: 	CSSA-2002-021.0
Issue date: 		2002 May 15
Cross reference:
______________________________________________________________________________


1. Problem Description

	A malicious user may construct a malformed request that will
	cause a buffer overflow, allowing the user to run code on the
	server with the uid and gid of the e-mail owner.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to imap-2000-14.i386.rpm
					prior to imap-devel-2000-14.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to imap-2000-14.i386.rpm
					prior to imap-devel-2000-14.i386.rpm

	OpenLinux 3.1 Server		prior to imap-2000-14.i386.rpm
					prior to imap-devel-2000-14.i386.rpm

	OpenLinux 3.1 Workstation	prior to imap-2000-14.i386.rpm
					prior to imap-devel-2000-14.i386.rpm


3. Solution

	The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

	4.2 Packages

	3d4c39ed407a122f963f9f508f908c92	imap-2000-14.i386.rpm
	5c49edd5001471188ed6da5a20413f42	imap-devel-2000-14.i386.rpm

	4.3 Installation

	rpm -Fvh imap-2000-14.i386.rpm
	rpm -Fvh imap-devel-2000-14.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

	4.5 Source Packages

	7aca0b5e4236dac8b9bbce8879d84bd8	imap-2000-14.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

	5.2 Packages

	d38decbc4fd541389f150a801dbd6024	imap-2000-14.i386.rpm
	4833a72e3afde52d6f88fefdf2ac6fb4	imap-devel-2000-14.i386.rpm

	5.3 Installation

	rpm -Fvh imap-2000-14.i386.rpm
	rpm -Fvh imap-devel-2000-14.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

	5.5 Source Packages

	0dc9c6f44c0a233ff31efc296159a812	imap-2000-14.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

	6.2 Packages

	cbe5748e7adea78a897b2b530a4f6885	imap-2000-14.i386.rpm
	763992a12de3ac0bdf53ea03c92b0c79	imap-devel-2000-14.i386.rpm

	6.3 Installation

	rpm -Fvh imap-2000-14.i386.rpm
	rpm -Fvh imap-devel-2000-14.i386.rpm

	6.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

	6.5 Source Packages

	decd197cfdce836c921560097573e9b3	imap-2000-14.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

	7.2 Packages

	863d0908cf6a00488bd705bfe16e4d4c	imap-2000-14.i386.rpm
	a2db300f0a06d9be119c39a40fb4f368	imap-devel-2000-14.i386.rpm

	7.3 Installation

	rpm -Fvh imap-2000-14.i386.rpm
	rpm -Fvh imap-devel-2000-14.i386.rpm

	7.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

	7.5 Source Packages

	2ea45d3516faaaae52a2f8053deaf30c	imap-2000-14.src.rpm


8. References

	Specific references for this advisory:
		none


	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security fix closes Caldera incidents sr864139, fz520938
	and erg712042.


9. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


10. Acknowledgements

	Marcell Fodor (m.fodor@mail.datanet.hu) discovered and reported
	this vulnerability.

______________________________________________________________________________


--p4qYPpj5QlsIQJ0K
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzivtYACgkQbluZssSXDTENawCg+gHAZBLJ+pHii1ceOXVYIk7Y
bxQAoKP0LJgvzQmdefxaWLovqNhh9m38
=acgC
-----END PGP SIGNATURE-----

--p4qYPpj5QlsIQJ0K--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC