Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Cyrus IMAP Server Vendors:   Carnegie Mellon University
(Debian Issues Fix) Cyrus IMAP Server Memory Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012328
SecurityTracker URL:
CVE Reference:   CVE-2004-1011, CVE-2004-1012, CVE-2004-1013   (Links to External Site)
Date:  Nov 25 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.8 and prior versions
Description:   Several vulnerabilities were reported in the Cyrus IMAP server. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters GmbH reported a variety of bugs. A remote user can trigger a stack overflow in the PROXY and LOGIN commands when the imapmagicplus is enabled on the target server [CVE: CVE-2004-1011]. The username value is not properly validated. Versions 2.2.4 - 2.2.8 are affected.

It is also reported that a remote authenticated user can trigger a memory corruption error in the PARTIAL command [CVE: CVE-2004-1012], exploitable in versions 2.2.6 and prior versions. A remote authenticated user can execute arbitrary code.

It is also reported that a remtoe authenticated user can trigger a memory corruption error in the processing of the FETCH command [CVE: CVE-2004-1013] to execute arbitrary code.

In versions 2.2.7 and 2.2.8, it is also reported that a flaw in processing the MULTIAPPENDS command may cause uninitialized memory to be freed, which may lead to arbitrary code execution.

The vendor was notified on November 6, 2004.

The original advisory is available at:

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the imapd process.
Solution:   Debian has released a fix for the stable distribution (woody) in version 1.5.19-9.2 and for the unstable distribution (sid) in version 2.1.17-1.

The fixes are available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Debian)
Underlying OS Comments:  3.0

Message History:   This archive entry is a follow-up to the message listed below.
Nov 23 2004 Cyrus IMAP Server Memory Errors May Let Remote Users Execute Arbitrary Code

 Source Message Contents

Subject:  [SECURITY] [DSA 597-1] New cyrus-imapd packages fix arbitrary code execution

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 597-1                                        Martin Schulze
November 25th, 2004           
- --------------------------------------------------------------------------

Package        : cyrus-imapd
Vulnerability  : buffer overflow
Problem-Type   : local/remote
Debian-specific: no
CVE ID         : CAN-2004-1012 CAN-2004-1013
Debian Bug     : 282681

Stefan Esser discovered several security related problems in the Cyrus
IMAP daemon.  Due to a bug in the command parser it is possible to
access memory beyond the allocated buffer in two places which could
lead to the execution of arbitrary code.

For the stable distribution (woody) these problems have been fixed in
version 1.5.19-9.2

For the unstable distribution (sid) these problems have been fixed in
version 2.1.17-1.

We recommend that you upgrade your cyrus-imapd package immediately.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:
      Size/MD5 checksum:      703 e0481572ba25da370cd1eca220d1a030
      Size/MD5 checksum:    32830 f6e67dff752d2f07dc7814c08d910044
      Size/MD5 checksum:   526190 b789ea3868be439c27b24a8aa6d0b99f

  Alpha architecture:
      Size/MD5 checksum:    43558 605b6d5781b7525fef102a322167dc07
      Size/MD5 checksum:   567060 f16d9c0379f5ff1805f9ca12e97a6d55
      Size/MD5 checksum:    86262 844e21251e961fd1a8744504508bf025
      Size/MD5 checksum:   164410 b6b6bd17475d8187ef1e1cb583887e64
      Size/MD5 checksum:   162218 c2752c9eabdf34d6a5f56183e6a0db9a
      Size/MD5 checksum:    77630 e1f0a2fb07112a4fe4ef61ebb7a49aa0

  ARM architecture:
      Size/MD5 checksum:    39924 0995a4f7ad0a332d462ca619c706bda5
      Size/MD5 checksum:   437994 66083d88f667e80f01b58ef94c387d0e
      Size/MD5 checksum:    80458 52584f8b0d2a2ab0d344d25c9da4085b
      Size/MD5 checksum:   134364 5a341627828988cf55419d4a223079b5
      Size/MD5 checksum:   126848 26ad29be01e2b28c4de37d96d5b9155a
      Size/MD5 checksum:    59856 ac911aa6e9273f800c5f9f47c9c9084f

  Intel IA-32 architecture:
      Size/MD5 checksum:    38998 489e82636e7423342b6d63032e35f389
      Size/MD5 checksum:   416914 dd920904b7f4ab87f0b7c7bfa0d4a97f
      Size/MD5 checksum:    75702 2c8ef52476b3b494b0f2a0bbb0a35755
      Size/MD5 checksum:   123450 c0d4750368d00bf76c204a56f2c418d2
      Size/MD5 checksum:   119886 55ee743281e5de675674181b6ed024f3
      Size/MD5 checksum:    56268 5cedd739a2f4736125573e55a0b875ad

  Intel IA-64 architecture:
      Size/MD5 checksum:    48850 f6712157e9c472b041a9f83b6b6ab357
      Size/MD5 checksum:   656824 c01cd43ac1af94155760cdb5a62d9675
      Size/MD5 checksum:    93352 f19ed436d9550a693e03474080941e43
      Size/MD5 checksum:   198090 99ee20d8c668612add2e2f93d84b1848
      Size/MD5 checksum:   192456 2764c2794771531b7131148e6ba6cc53
      Size/MD5 checksum:    90284 0ae7cc75d486880d86cc4e1a6db17af7

  HP Precision architecture:
      Size/MD5 checksum:    42240 91e0ad0740bc59967af0d0125684863b
      Size/MD5 checksum:   484540 550d155ec451650196a0eef52fb8f3c8
      Size/MD5 checksum:    83932 e0333e01626fdeac3b69d04f319c6df0
      Size/MD5 checksum:   145634 546909a010b9468bb2ae8550a77f6653
      Size/MD5 checksum:   141988 132df5b22602fd2025a4dfdf44c8c0fd
      Size/MD5 checksum:    65900 deca12451392a0911ff5699d339d62f6

  Motorola 680x0 architecture:
      Size/MD5 checksum:    37972 e76791fa11eb69075ee6dbf82890ee06
      Size/MD5 checksum:   387580 f334243709621ad5051e7806e7b561d4
      Size/MD5 checksum:    74386 96605f4fead3441c1276aca7496cf857
      Size/MD5 checksum:   113454 074119d9b1abf101ab9cc957b627be8a
      Size/MD5 checksum:   112120 58d79fcfdb58ba97cb259f6b4b850f6b
      Size/MD5 checksum:    52342 6a1cd52438760f6297081adba6b67997

  Big endian MIPS architecture:
      Size/MD5 checksum:    41602 1e96a8c73afbac0cdcc6771818b642e8
      Size/MD5 checksum:   481550 7bebd624566b7e603eb0733cbae7083c
      Size/MD5 checksum:    83312 a3b9739220e76493ac56fa7b73214d98
      Size/MD5 checksum:   141674 2fb6a951f77258e1828279ad8c6eef7a
      Size/MD5 checksum:   140320 dc3cc564c257346b492ea28775f5ae5e
      Size/MD5 checksum:    65780 da6c3c553887bcf173e41be3ddce62b1

  Little endian MIPS architecture:
      Size/MD5 checksum:    41738 0cba87d05f237a6e79ec0165bf757991
      Size/MD5 checksum:   486284 8896d35754568189b2fbe1f00aac432f
      Size/MD5 checksum:    83446 e86cf8f817626afb48f3f51eed186917
      Size/MD5 checksum:   143928 d427e4f5268d685adb1a7e7086a7a4fd
      Size/MD5 checksum:   141892 6a3b60a7c4c1f9fc60c01dbaad843ce0
      Size/MD5 checksum:    66236 6c48b0851637f81c2a5e9bddce0357d1

  PowerPC architecture:
      Size/MD5 checksum:    40224 61d75e95f4aeafad122081a210f9682f
      Size/MD5 checksum:   457434 a73dd24b0f50e027fab59511261d1189
      Size/MD5 checksum:    80926 3541a8d3ffc665cee2b80c85b9d98cf3
      Size/MD5 checksum:   134996 3745593385f1fa49071706326aa5a7b8
      Size/MD5 checksum:   133482 5057e633e3068d5233d52e5b73e5d2d7
      Size/MD5 checksum:    62450 4993a3e6947fcc4a08075b43c28acfdf

  IBM S/390 architecture:
      Size/MD5 checksum:    40804 e757c6a1476bae8035581ddd85fb3976
      Size/MD5 checksum:   433114 dc1b97d66d61ee41940a690b3b00c26a
      Size/MD5 checksum:    77910 ba413afe00395cd17ac86d757f181ea6
      Size/MD5 checksum:   129212 28751a06e94623a150aaf5f46df5c793
      Size/MD5 checksum:   124658 b153471de6d53d99693e9b2cff926aee
      Size/MD5 checksum:    59192 9591db004d221d6230a2aaaaf994a3e9

  Sun Sparc architecture:
      Size/MD5 checksum:    39858 0b5fd335f5559ddfcd39cc5bd9798f4d
      Size/MD5 checksum:   435904 5b4639c22c4a63fdcd120c26a94ba903
      Size/MD5 checksum:    79364 c42e3dfdca39d2084051743f3f58aba2
      Size/MD5 checksum:   130890 6925e7fc4bdf0c9536b529314bd91f06
      Size/MD5 checksum:   126948 a7ca84cf4d6ec1694a718e53dadc0a5f
      Size/MD5 checksum:    60190 67fce3079b320b2a236f4fe1d8b85f28

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.2.5 (GNU/Linux)


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC