SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Cyrus IMAP Server Vendors:   Carnegie Mellon University
(Fedora Issues Fix for FC2) Cyrus IMAP Server Memory Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012375
SecurityTracker URL:  http://securitytracker.com/id/1012375
CVE Reference:   CVE-2004-1011, CVE-2004-1012, CVE-2004-1013   (Links to External Site)
Date:  Dec 2 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.8 and prior versions
Description:   Several vulnerabilities were reported in the Cyrus IMAP server. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters GmbH reported a variety of bugs. A remote user can trigger a stack overflow in the PROXY and LOGIN commands when the imapmagicplus is enabled on the target server [CVE: CVE-2004-1011]. The username value is not properly validated. Versions 2.2.4 - 2.2.8 are affected.

It is also reported that a remote authenticated user can trigger a memory corruption error in the PARTIAL command [CVE: CVE-2004-1012], exploitable in versions 2.2.6 and prior versions. A remote authenticated user can execute arbitrary code.

It is also reported that a remtoe authenticated user can trigger a memory corruption error in the processing of the FETCH command [CVE: CVE-2004-1013] to execute arbitrary code.

In versions 2.2.7 and 2.2.8, it is also reported that a flaw in processing the MULTIAPPENDS command may cause uninitialized memory to be freed, which may lead to arbitrary code execution.

The vendor was notified on November 6, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/152004.html

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the imapd process.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

282783d2fff47052ce9af7943439b831 SRPMS/cyrus-imapd-2.2.10-1.fc2.src.rpm
084cd190d2e698d59a9ed03f45151f42 x86_64/cyrus-imapd-2.2.10-1.fc2.x86_64.rpm
e7a68608d3c73f9f013b28702566c2c9 x86_64/cyrus-imapd-murder-2.2.10-1.fc2.x86_64.rpm
7c0d7fe1769923f59f06414145b87fa0 x86_64/cyrus-imapd-nntp-2.2.10-1.fc2.x86_64.rpm
50fcbdfe08e215597afa16a3ca04f83a x86_64/cyrus-imapd-devel-2.2.10-1.fc2.x86_64.rpm
bbe82aeb7ada7220ce0b162b433e6c03 x86_64/perl-Cyrus-2.2.10-1.fc2.x86_64.rpm
2ebeb131a6eb52ccdb0706700f7e4d60 x86_64/cyrus-imapd-utils-2.2.10-1.fc2.x86_64.rpm
f0790e11402477fdc507a11ddc8a75d8 i386/cyrus-imapd-2.2.10-1.fc2.i386.rpm
d75e163a9659ed0a352c1e9753bbf93f i386/cyrus-imapd-murder-2.2.10-1.fc2.i386.rpm
43fc9f5476305e8a9b4b86f66236eba8 i386/cyrus-imapd-nntp-2.2.10-1.fc2.i386.rpm
d8c5813b05ab337aa419af14a9d5e470 i386/cyrus-imapd-devel-2.2.10-1.fc2.i386.rpm
1c638111d73229546980b9419fddda18 i386/perl-Cyrus-2.2.10-1.fc2.i386.rpm
c686870df1f217d40b0f288b78a07bd3 i386/cyrus-imapd-utils-2.2.10-1.fc2.i386.rpm

Vendor URL:  asg.web.cmu.edu/cyrus/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Nov 23 2004 Cyrus IMAP Server Memory Errors May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  Subject: [SECURITY] Fedora Core 2 Update: cyrus-imapd-2.2.10-1.fc2


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-489
2004-12-01
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : cyrus-imapd
Version     : 2.2.10                      
Release     : 1.fc2                  
Summary     : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.

A full Cyrus IMAP implementation allows a seamless mail and bulletin
board environment to be set up across multiple servers. It differs from
other IMAP server implementations in that it is run on "sealed"
servers, where users are not normally permitted to log in. The mailbox
database is stored in parts of the filesystem that are private to the
Cyrus IMAP server. All user access to mail is through software using
the IMAP, POP3, or KPOP protocols. TLSv1 and SSL are supported for
security.

---------------------------------------------------------------------
Update Information:

Fix several buffer overflow problems that could be used as an exploit.
Fixes the following security advisories:
CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 CAN-2004-1015
---------------------------------------------------------------------
* Tue Nov 30 2004 John Dennis <jdennis@redhat.com> 2.2.10-1.fc2

- update to Simon Matter's 2.2.10 RPM,
  fixes bug #139382, 
  security advisories: CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 CAN-2004-1015

* Wed Nov 24 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.10

* Tue Nov 23 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.9

* Fri Nov 19 2004 Simon Matter <simon.matter@invoca.ch>

- changed scripts to use runuser instead of su if available

* Thu Nov 18 2004 Simon Matter <simon.matter@invoca.ch>

- changed requirement for file >= 3.35-1 from BuildPrereq to
  Requires, fixes RedHat's bug #124991
- added acceptinvalidfrom patch to fix RedHat's bug #137705

* Mon Oct 04 2004 Dan Walsh <dwalsh@redhat.com> 2.2.6-2.FC3.6

- Change cyrus init scripts and cron job to use runuser instead of su

* Fri Aug 06 2004 John Dennis <jdennis@redhat.com> 2.2.6-2.FC3.5

- remove obsoletes tag, fixes bugs #127448, #129274

* Wed Aug 04 2004 John Dennis <jdennis@redhat.com>

- replace commas in release field with dots, bump build number

* Tue Aug 03 2004 Simon Matter <simon.matter@invoca.ch>

- fixed symlinks for x86_64, now uses the _libdir macro
  reported by John Dennis, fixes RedHat's bug #128964
- removed obsoletes tag, fixes RedHat's bugs #127448, #129274

* Mon Aug 02 2004 John Dennis <jdennis@redhat.com> 2.2.6-2,FC3,3

- fix bug #128964, lib symlinks wrong on x86_64

* Thu Jul 29 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.8

* Thu Jul 29 2004 Simon Matter <simon.matter@invoca.ch>

- updated autocreate and autosieve patches
- made authorization a compile time option
- added sieve-bc_eval patch

* Tue Jul 27 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.7
- modified autocreate patch or 2.2.7
- removed snmpargs patch which was needed for RedHat 6.2

* Tue Jul 13 2004 Simon Matter <simon.matter@invoca.ch>

- added mboxlist / mboxname patches from CVS

* Tue Jul 06 2004 Simon Matter <simon.matter@invoca.ch>

- updated rmquota+deletemailbox patch

* Sat Jul 03 2004 John Dennis <jdennis@redhat.com> - 2.2.6-2,FC3,1

- bring up to date with Simon Matter's latest upstream rpm 2.2.6-2
- comment out illegal tags Packager, Vendor, Distribution
  build for FC3

* Wed Jun 30 2004 Simon Matter <simon.matter@invoca.ch>

- added quota patches from CVS

* Fri Jun 25 2004 Simon Matter <simon.matter@invoca.ch>

- updated autocreate patch

* Fri Jun 18 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.6

* Fri Jun 11 2004 Simon Matter <simon.matter@invoca.ch>

- updated autocreate and autosieve patches

* Tue Jun 01 2004 Simon Matter <simon.matter@invoca.ch>

- updated autocreate, autosieve and rmquota patches
- fixed rmquota patch to build on gcc v3.3.x
- added lmtp_sieve patch

* Sat May 29 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.5

* Fri May 28 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.5 pre-release

* Mon May 24 2004 Simon Matter <simon.matter@invoca.ch>

- added hash patch to fix a sig11 problem
- added noncritical typo patch

* Fri May 21 2004 Simon Matter <simon.matter@invoca.ch>

- include OutlookExpress seenstate patch
- fixed allnumeric patch

* Thu May 20 2004 Simon Matter <simon.matter@invoca.ch>

- don't enable cyrus-imapd per default
- rename fetchnews to cyrfetchnews to avoid namespace conflicts with leafnode
- replace fetchnews with cyrfetchnews in man pages
- replace master with cyrus-master in man pages

* Tue May 18 2004 Simon Matter <simon.matter@invoca.ch>

- updated to 2.2.4


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

282783d2fff47052ce9af7943439b831  SRPMS/cyrus-imapd-2.2.10-1.fc2.src.rpm
084cd190d2e698d59a9ed03f45151f42  x86_64/cyrus-imapd-2.2.10-1.fc2.x86_64.rpm
e7a68608d3c73f9f013b28702566c2c9  x86_64/cyrus-imapd-murder-2.2.10-1.fc2.x86_64.rpm
7c0d7fe1769923f59f06414145b87fa0  x86_64/cyrus-imapd-nntp-2.2.10-1.fc2.x86_64.rpm
50fcbdfe08e215597afa16a3ca04f83a  x86_64/cyrus-imapd-devel-2.2.10-1.fc2.x86_64.rpm
bbe82aeb7ada7220ce0b162b433e6c03  x86_64/perl-Cyrus-2.2.10-1.fc2.x86_64.rpm
2ebeb131a6eb52ccdb0706700f7e4d60  x86_64/cyrus-imapd-utils-2.2.10-1.fc2.x86_64.rpm
f0790e11402477fdc507a11ddc8a75d8  i386/cyrus-imapd-2.2.10-1.fc2.i386.rpm
d75e163a9659ed0a352c1e9753bbf93f  i386/cyrus-imapd-murder-2.2.10-1.fc2.i386.rpm
43fc9f5476305e8a9b4b86f66236eba8  i386/cyrus-imapd-nntp-2.2.10-1.fc2.i386.rpm
d8c5813b05ab337aa419af14a9d5e470  i386/cyrus-imapd-devel-2.2.10-1.fc2.i386.rpm
1c638111d73229546980b9419fddda18  i386/perl-Cyrus-2.2.10-1.fc2.i386.rpm
c686870df1f217d40b0f288b78a07bd3  i386/cyrus-imapd-utils-2.2.10-1.fc2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------


-- 
John Dennis <jdennis@redhat.com>

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC