Debian Bug report logs - #282681
cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13

version graph

Package: cyrus21-imapd; Maintainer for cyrus21-imapd is (unknown);

Reported by: Martin Pitt <martin.pitt@canonical.com>

Date: Tue, 23 Nov 2004 19:33:01 UTC

Severity: critical

Tags: patch, security

Found in version 2.1.16-10

Fixed in version cyrus21-imapd/2.1.17-1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
New Bug report received and forwarded. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: team@security.debian.org
Subject: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Tue, 23 Nov 2004 20:16:44 +0100
[Message part 1 (text/plain, inline)]
Package: cyrus21-imapd
Version: 2.1.16-10
Severity: critical
Tags: security patch
Justification: root security hole

Hi!

At least sarge's and sid's versions are vulnerable to above CANs and
some additional issue described in 

 http://security.e-matters.de/advisories/152004.html

I fixed Ubuntu using the interdiff at

  http://patches.ubuntu.com/patches/cyrus21-imapd.CAN-2004-1012+13.diff

Please fix this as soon as possible since this is a root security
hole. Please also check whether woody is vulnerable, I did not do
this.

My changelog:

------------------- snip -----------------
 cyrus21-imapd (2.1.16-10ubuntu1) hoary; urgency=low
 .
   * SECURITY UPDATE: fix several potential buffer overflows
   * imap/imapd.c:
     - cmd_fetch(), cmd_partial(): fixed insufficient checking of the command
       string: the command "body[p"/"BODY[P" was recognized as
       "body.peek"/"BODY.PEEK" which caused an incrementation of the command
       buffer pointer beyond the allocated memory
     - fixed two incarnations of "flag[nflags++] = xstrdup(...)"; the value of
       nflags within functions called by xstrdup() is undefined and different
       gcc versions handle this differently
   * Note: this version is not vulnerable to CAN-2004-1011
   * References:
     CAN-2004-1012, CAN-2004-1013
     http://security.e-matters.de/advisories/152004.html
------------------- snip -----------------

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 282681@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Martin Pitt <martin.pitt@canonical.com>, 282681@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Tue, 23 Nov 2004 17:54:14 -0200
On Tue, 23 Nov 2004, Martin Pitt wrote:
> At least sarge's and sid's versions are vulnerable to above CANs and
> some additional issue described in 

Yeah, I noticed. The worst is already fixed in incoming...

> hole. Please also check whether woody is vulnerable, I did not do

Woody's cyrus is a lost cause (1.5). It does not have 2.1, though.

>      - fixed two incarnations of "flag[nflags++] = xstrdup(...)"; the value of
>        nflags within functions called by xstrdup() is undefined and different
>        gcc versions handle this differently

Drat, that one escaped me.  I will upload a new fix.

Thanks for the heads'up and the for the patch.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Reply sent to Henrique de Moraes Holschuh <hmh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <martin.pitt@canonical.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 282681-close@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: 282681-close@bugs.debian.org
Subject: Bug#282681: fixed in cyrus21-imapd 2.1.17-1
Date: Tue, 23 Nov 2004 18:32:08 -0500
Source: cyrus21-imapd
Source-Version: 2.1.17-1

We believe that the bug you reported is fixed in the latest version of
cyrus21-imapd, which is due to be installed in the Debian FTP archive:

cyrus21-admin_2.1.17-1_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-admin_2.1.17-1_all.deb
cyrus21-clients_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-clients_2.1.17-1_i386.deb
cyrus21-common_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-common_2.1.17-1_i386.deb
cyrus21-dev_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-dev_2.1.17-1_i386.deb
cyrus21-doc_2.1.17-1_all.deb
  to pool/main/c/cyrus21-imapd/cyrus21-doc_2.1.17-1_all.deb
cyrus21-imapd_2.1.17-1.diff.gz
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17-1.diff.gz
cyrus21-imapd_2.1.17-1.dsc
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17-1.dsc
cyrus21-imapd_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17-1_i386.deb
cyrus21-imapd_2.1.17.orig.tar.gz
  to pool/main/c/cyrus21-imapd/cyrus21-imapd_2.1.17.orig.tar.gz
cyrus21-murder_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-murder_2.1.17-1_i386.deb
cyrus21-pop3d_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/cyrus21-pop3d_2.1.17-1_i386.deb
libcyrus-imap-perl21_2.1.17-1_i386.deb
  to pool/main/c/cyrus21-imapd/libcyrus-imap-perl21_2.1.17-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 282681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <hmh@debian.org> (supplier of updated cyrus21-imapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 Nov 2004 19:19:56 -0200
Source: cyrus21-imapd
Binary: cyrus21-doc cyrus21-admin cyrus21-murder cyrus21-common cyrus21-imapd cyrus21-clients cyrus21-dev cyrus21-pop3d libcyrus-imap-perl21
Architecture: source i386 all
Version: 2.1.17-1
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Changed-By: Henrique de Moraes Holschuh <hmh@debian.org>
Description: 
 cyrus21-admin - Cyrus mail system (administration tool)
 cyrus21-clients - Cyrus mail system (test clients)
 cyrus21-common - Cyrus mail system (common files)
 cyrus21-dev - Cyrus mail system (developer files)
 cyrus21-doc - Cyrus mail system (documentation files)
 cyrus21-imapd - Cyrus mail system (IMAP support)
 cyrus21-murder - Cyrus mail system (proxies and aggregator)
 cyrus21-pop3d - Cyrus mail system (POP3 support)
 libcyrus-imap-perl21 - Interface to Cyrus imap client imclient library
Closes: 282681
Changes: 
 cyrus21-imapd (2.1.17-1) unstable; urgency=high
 .
   * New upstream source
     * SECURITY FIX:
       Detect and avoid buffer overflow on SASL canonical processing
   * SECURITY FIX (from Ubuntu, thanks to Martin Pitt
     <martin.pitt@canonical.com>): fixed two incarnations of "flag[nflags++]
     = xstrdup(...)"; the value of nflags within functions called by
     xstrdup() is undefined and different gcc versions handle this
     differently (closes: #282681)
Files: 
 99533eaa41fb170e0d90b802e9e02fa8 1022 mail extra cyrus21-imapd_2.1.17-1.dsc
 3542c42672185ed4b7c116dd69235f3f 1690371 mail extra cyrus21-imapd_2.1.17.orig.tar.gz
 6b5b75f6603d5e311863079087d17170 248327 mail extra cyrus21-imapd_2.1.17-1.diff.gz
 091eedb7c4e2e86ac07d6aa357ec0198 208886 mail extra cyrus21-doc_2.1.17-1_all.deb
 6b067742680ca6be287fcbc20f89c6bb 89388 mail extra cyrus21-admin_2.1.17-1_all.deb
 4f39df8e120fb04548ff8cd65638d152 1992722 mail extra cyrus21-common_2.1.17-1_i386.deb
 90e30c0c17e4aea8fc02fcd7bd2195a0 570680 mail extra cyrus21-imapd_2.1.17-1_i386.deb
 a6fecf501625ff64a20063e02f63bf49 87868 mail extra cyrus21-pop3d_2.1.17-1_i386.deb
 145b9bfec24a9e09e49f17f0b8be0462 503628 mail extra cyrus21-murder_2.1.17-1_i386.deb
 13e7035d495903b92bd3d2458962c0a0 106266 mail extra cyrus21-clients_2.1.17-1_i386.deb
 c444942ddabed671b1fed2cd2fd6e6b2 244158 devel extra cyrus21-dev_2.1.17-1_i386.deb
 2458fdc5ec953395a544a63a430c904b 137004 perl extra libcyrus-imap-perl21_2.1.17-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBo7p47iXePxzbD+MRAoEgAJ9L41cg/qN6GDTaELKuKH4DhZbzBgCePrb1
e3seBPVL7G7wBR/0YJtFFyg=
=gcGI
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #20 received at 282681@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Martin Pitt <martin.pitt@canonical.com>
Cc: Debian Bug Tracking System <282681@bugs.debian.org>, team@security.debian.org
Subject: Re: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Wed, 24 Nov 2004 11:07:30 +0100
[Message part 1 (text/plain, inline)]
Martin Pitt wrote:
> At least sarge's and sid's versions are vulnerable to above CANs and
> some additional issue described in 

The version in woody is vulnerable to CAN-2004-1012 and CAN-2004-1013.
I plan to use the attached patch.

>   http://patches.ubuntu.com/patches/cyrus21-imapd.CAN-2004-1012+13.diff
> 
> Please fix this as soon as possible since this is a root security
> hole. Please also check whether woody is vulnerable, I did not do
> this.
> 
> My changelog:
> 
> ------------------- snip -----------------
>  cyrus21-imapd (2.1.16-10ubuntu1) hoary; urgency=low
>  .
>    * SECURITY UPDATE: fix several potential buffer overflows
>    * imap/imapd.c:
>      - cmd_fetch(), cmd_partial(): fixed insufficient checking of the command
>        string: the command "body[p"/"BODY[P" was recognized as
>        "body.peek"/"BODY.PEEK" which caused an incrementation of the command
>        buffer pointer beyond the allocated memory
>      - fixed two incarnations of "flag[nflags++] = xstrdup(...)"; the value of
>        nflags within functions called by xstrdup() is undefined and different
>        gcc versions handle this differently
>    * Note: this version is not vulnerable to CAN-2004-1011
>    * References:
>      CAN-2004-1012, CAN-2004-1013
>      http://security.e-matters.de/advisories/152004.html
> ------------------- snip -----------------

CAN-2004-1015 missing.  Not sure if the version in ubuntu or unstable is
vulnerable, though.

Henrique, please mention the respective CVE Id in the proper changelog
entry and please let me know which version in unstable fixes the problems.

Regards,

	Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/

Please always Cc to me when replying to me on the lists.
[patch.CAN-2004-1012.cyrus-impad (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 282681@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Martin Schulze <joey@infodrom.org>, 282681@bugs.debian.org
Cc: Martin Pitt <martin.pitt@canonical.com>, team@security.debian.org
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Wed, 24 Nov 2004 08:41:59 -0200
On Wed, 24 Nov 2004, Martin Schulze wrote:
> CAN-2004-1015 missing.  Not sure if the version in ubuntu or unstable is
> vulnerable, though.

I didn't know about that one. Any references? Google is useless for things
like this, and the CVE database is totally useless for CAN references (which
is quite aggravating).

> Henrique, please mention the respective CVE Id in the proper changelog

I usually do. In this case, I did as well, although I didn't bother
repeating them on the 2.1.17-1 entry (since they are in 2.1.16-11). 

On a related note, I will not pretend I even remotely understood how the
flag[nflags++] code could be a security hole *on 2.1.16*, unless something
is buggy enough to think nflags++ is the same as ++nflags...  On 2.1.x,
xstrdup doesn't appear to touch flag or nflags at all, and its args don't
reference either.  I'd appreciate if someone explained where the hole is to
me.

Here are the changelogs:

cyrus21-imapd (2.1.17-1) unstable; urgency=high

  * New upstream source
    * SECURITY FIX:
      Detect and avoid buffer overflow on SASL canonical processing
  * SECURITY FIX (from Ubuntu, thanks to Martin Pitt
    <martin.pitt@canonical.com>): fixed two incarnations of "flag[nflags++]
    = xstrdup(...)"; the value of nflags within functions called by
    xstrdup() is undefined and different gcc versions handle this
    differently (closes: #282681)

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Tue, 23 Nov 2004 19:19:56 -0200

cyrus21-imapd (2.1.16-11) unstable; urgency=high

  * SECURITY FIX:  Exploitable remotely. Could cause root compromise.
    CAN-2004-1012, CAN-2004-1013.  Backport of upstream 2.2.x fixes to
    2.1.16 by David Carter (closes: #282619)
  * Possible security fix: don't assume long lines have a null in them. from
    Philip Chambers <P.A.Chambers@exeter.ac.uk>.  Backported from 2.2.9
  * Change suggested DEB_BUILD_OPTIONS for debugging in README.Debian.debug
  * Add note about really meaning it when I tell people to pay attention to
    their new SASLv2 setup in UPGRADE.Debian (closes: #277072)
  * Always remove all dpkg-statusoverride entries, even if the user request
    that the spool directories not be removed (closes: #231068)

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Tue, 23 Nov 2004 10:43:11 -0200

> entry and please let me know which version in unstable fixes the problems.

2.1.17-1 fixes all problems reported by e-matters GmbH on 2004-11-22.  As
far as I understood things, so does 2.1.16-11.  I have no idea about this
CAN-2004-1015, though.  And apparently, nor does Cyrus upstream, so please
send us the references...

Note that there was a SASL buffer overflow fix on upstream CVS, for which I
had no CVE references. I have no idea if it was just a bad behaviour fix, or
a security hole fix. Maybe this is CAN-2004-1015?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #30 received at 282681@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: Martin Schulze <joey@infodrom.org>
Cc: Debian Bug Tracking System <282681@bugs.debian.org>, team@security.debian.org
Subject: Re: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Wed, 24 Nov 2004 11:58:05 +0100
[Message part 1 (text/plain, inline)]
Hi!

Martin Schulze [2004-11-24 11:07 +0100]:
> CAN-2004-1015 missing.  Not sure if the version in ubuntu or unstable is
> vulnerable, though.

No it isn't, I checked. The whole code part that contains this bug
apparently appeared not until version 2.2.

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #35 received at 282681@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: 282681@bugs.debian.org, Martin Pitt <martin.pitt@canonical.com>, team@security.debian.org
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Wed, 24 Nov 2004 11:58:33 +0100
Henrique de Moraes Holschuh wrote:
> On Wed, 24 Nov 2004, Martin Schulze wrote:
> > CAN-2004-1015 missing.  Not sure if the version in ubuntu or unstable is
> > vulnerable, though.
> 
> I didn't know about that one. Any references? Google is useless for things
> like this, and the CVE database is totally useless for CAN references (which
> is quite aggravating).

Both Google and CVE are usually quite helpful with this, except for the
cases where the CAN is not yet published.

The text for it is:

        "Proxyd.c contains a IMAPMAGICPLUS overflow in its
        proxyd_canon_user function fixed in 2.2.10."

> he noticed that the patch to 2.2.9 is incomplete. Proxyd.c contains
> the same IMAPMAGICPLUS overflow in its proxyd_canon_user function.

This is fixed in 2.2.10 now.

> On a related note, I will not pretend I even remotely understood how the
> flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> is buggy enough to think nflags++ is the same as ++nflags...  On 2.1.x,
> xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> reference either.  I'd appreciate if someone explained where the hole is to
> me.

The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
and try to clean up the variable where the new memory was supposed to end
up.

> 2.1.17-1 fixes all problems reported by e-matters GmbH on 2004-11-22.  As
> far as I understood things, so does 2.1.16-11.  I have no idea about this
> CAN-2004-1015, though.  And apparently, nor does Cyrus upstream, so please
> send us the references...

It came from Cyrus upstream and went into 2.2.10.

> Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> had no CVE references. I have no idea if it was just a bad behaviour fix, or
> a security hole fix. Maybe this is CAN-2004-1015?

Could that be DSA 563 alias CAN-2004-0884?

Regards,

	Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #40 received at 282681@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 282681@bugs.debian.org, Martin Pitt <martin.pitt@canonical.com>, team@security.debian.org
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Wed, 24 Nov 2004 09:31:44 -0200
[Message part 1 (text/plain, inline)]
On Wed, 24 Nov 2004, Martin Schulze wrote:
> Both Google and CVE are usually quite helpful with this, except for the
> cases where the CAN is not yet published.

Which is exactly when I need them, to track down the references and fix the
packages.  Well, as long as people tell me the CAN number and a reference to
what the bug is in the first place...

> > On a related note, I will not pretend I even remotely understood how the
> > flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> > is buggy enough to think nflags++ is the same as ++nflags...  On 2.1.x,
> > xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> > reference either.  I'd appreciate if someone explained where the hole is to
> > me.
> 
> The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
> and try to clean up the variable where the new memory was supposed to end
> up.

There isn't a xfzmalloc() nor a xstrfcpy() on Cyrus 2.1.16/2.1.17...

> > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > a security hole fix. Maybe this is CAN-2004-1015?
> 
> Could that be DSA 563 alias CAN-2004-0884?

No. It is related to mysasl_canon_user, and it was not in my tree yet.  See
the attached patch.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
[foo (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #45 received at 282681@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: 282681@bugs.debian.org, Martin Pitt <martin.pitt@canonical.com>, team@security.debian.org
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Wed, 24 Nov 2004 12:44:19 +0100
Henrique de Moraes Holschuh wrote:
> > > On a related note, I will not pretend I even remotely understood how the
> > > flag[nflags++] code could be a security hole *on 2.1.16*, unless something
> > > is buggy enough to think nflags++ is the same as ++nflags...  On 2.1.x,
> > > xstrdup doesn't appear to touch flag or nflags at all, and its args don't
> > > reference either.  I'd appreciate if someone explained where the hole is to
> > > me.
> > 
> > The problem is in connection to xfzmalloc() and xstrfcpy() which can fail
> > and try to clean up the variable where the new memory was supposed to end
> > up.
> 
> There isn't a xfzmalloc() nor a xstrfcpy() on Cyrus 2.1.16/2.1.17...

Sorry, it's xzmalloc() and xstrdup().  I wrote from memory without checking
the code again.

> > > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > > a security hole fix. Maybe this is CAN-2004-1015?
> > 
> > Could that be DSA 563 alias CAN-2004-0884?
> 
> No. It is related to mysasl_canon_user, and it was not in my tree yet.  See
> the attached patch.

I see.  I'll poke MITRE.  If a CVE Id will be assigned, I'll pass it
on to you.

Regards,

	Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#282681; Package cyrus21-imapd. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #50 received at 282681@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: 282681@bugs.debian.org, Martin Pitt <martin.pitt@canonical.com>, team@security.debian.org
Subject: Re: Bug#282681: cyrus21-imapd: Vulnerable to CAN-2004-1012 and -13
Date: Mon, 29 Nov 2004 19:50:17 +0100
Henrique de Moraes Holschuh wrote:
> > > Note that there was a SASL buffer overflow fix on upstream CVS, for which I
> > > had no CVE references. I have no idea if it was just a bad behaviour fix, or
> > > a security hole fix. Maybe this is CAN-2004-1015?
> > 
> > Could that be DSA 563 alias CAN-2004-0884?
> 
> No. It is related to mysasl_canon_user, and it was not in my tree yet.  See
> the attached patch.

Please use CAN-2004-1067 for the new SASL bug.  Please add this id to
the proper changelog entry with the next upload.

Am I right that it doesn't affect woody?

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.



Bug reopened, originator not changed. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, send any further explanations to Martin Pitt <martin.pitt@canonical.com> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:44:31 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:48:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:40:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.