Debian Bug report logs - #547712
CVE-2009-2632: Buffer overflow in the SIEVE script component

version graph

Package: kolab-cyrus-imapd; Maintainer for kolab-cyrus-imapd is Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Mon, 21 Sep 2009 18:45:07 UTC

Severity: grave

Tags: security

Fixed in versions kolab-cyrus-imapd/2.2.13-5.1, kolab-cyrus-imapd/2.2.13-6

Done: Mathieu Parent <sathieu@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>:
Bug#547712; Package kolab-cyrus-imapd. (Mon, 21 Sep 2009 18:45:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>. (Mon, 21 Sep 2009 18:45:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2632: Buffer overflow in the SIEVE script component
Date: Mon, 21 Sep 2009 20:24:36 +0200
Package: kolab-cyrus-imapd
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kolab-cyrus-imapd.

CVE-2009-2632[0]:
| Buffer overflow in the SIEVE script component (sieve/script.c), as
| used in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14, and
| Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, allows local users to
| execute arbitrary code and read or modify arbitrary messages via a
| crafted SIEVE script, related to the incorrect use of the sizeof
| operator for determining buffer length, combined with an integer
| signedness error.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2632
    http://security-tracker.debian.net/tracker/CVE-2009-2632


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq3xN0ACgkQNxpp46476aoKcwCfQN+gUb2JMpzFYvRnu8ZlfY3s
5bEAoI9ZX21e1dUaBdEG8KGnDrpWoHnI
=BODE
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>:
Bug#547712; Package kolab-cyrus-imapd. (Sat, 03 Oct 2009 20:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>. (Sat, 03 Oct 2009 20:36:03 GMT) Full text and rfc822 format available.

Message #10 received at 547712@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 547712@bugs.debian.org
Subject: NMU
Date: Sat, 03 Oct 2009 22:32:39 +0200
[Message part 1 (text/plain, inline)]
Hi,

Attached is a debdiff of the changes I made for 2.2.13-5.1 0-day NMU

Cheers,
Giuseppe.
[kolab-cyrus-imapd_2.2.13-5.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>:
Bug#547712; Package kolab-cyrus-imapd. (Sat, 03 Oct 2009 20:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>. (Sat, 03 Oct 2009 20:42:03 GMT) Full text and rfc822 format available.

Message #15 received at 547712@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 547712@bugs.debian.org
Subject: Re: NMU
Date: Sat, 03 Oct 2009 22:35:10 +0200
[Message part 1 (text/plain, inline)]
Giuseppe Iuculano ha scritto:
> Hi,
> 
> Attached is a debdiff of the changes I made for 2.2.13-5.1 0-day NMU
> 
> Cheers,
> Giuseppe.
> 


The DH_VERBOSE export in debian/rules was not included.

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 03 Oct 2009 22:45:17 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 03 Oct 2009 22:45:18 GMT) Full text and rfc822 format available.

Message #20 received at 547712-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 547712-close@bugs.debian.org
Subject: Bug#547712: fixed in kolab-cyrus-imapd 2.2.13-5.1
Date: Sat, 03 Oct 2009 22:25:34 +0000
Source: kolab-cyrus-imapd
Source-Version: 2.2.13-5.1

We believe that the bug you reported is fixed in the latest version of
kolab-cyrus-imapd, which is due to be installed in the Debian FTP archive:

kolab-cyrus-admin_2.2.13-5.1_all.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-admin_2.2.13-5.1_all.deb
kolab-cyrus-clients_2.2.13-5.1_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-clients_2.2.13-5.1_i386.deb
kolab-cyrus-common_2.2.13-5.1_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-common_2.2.13-5.1_i386.deb
kolab-cyrus-imapd_2.2.13-5.1.diff.gz
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-5.1.diff.gz
kolab-cyrus-imapd_2.2.13-5.1.dsc
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-5.1.dsc
kolab-cyrus-imapd_2.2.13-5.1_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-5.1_i386.deb
kolab-cyrus-pop3d_2.2.13-5.1_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-pop3d_2.2.13-5.1_i386.deb
kolab-libcyrus-imap-perl_2.2.13-5.1_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-libcyrus-imap-perl_2.2.13-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 547712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated kolab-cyrus-imapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 03 Oct 2009 20:00:44 +0200
Source: kolab-cyrus-imapd
Binary: kolab-cyrus-common kolab-cyrus-imapd kolab-cyrus-pop3d kolab-cyrus-admin kolab-cyrus-clients kolab-libcyrus-imap-perl
Architecture: source all i386
Version: 2.2.13-5.1
Distribution: unstable
Urgency: high
Maintainer: Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 kolab-cyrus-admin - Cyrus mail system (administration tool)
 kolab-cyrus-clients - Cyrus mail system (test clients)
 kolab-cyrus-common - Cyrus mail system (common files)
 kolab-cyrus-imapd - Cyrus mail system (IMAP support)
 kolab-cyrus-pop3d - Cyrus mail system (POP3 support)
 kolab-libcyrus-imap-perl - Interface to Cyrus imap client imclient library
Closes: 547712
Changes: 
 kolab-cyrus-imapd (2.2.13-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing Security Team.
   * Fix buffer overflow in SIEVE script component
     (CVE-2009-3235, CVE-2009-2632) (Closes: 547712)
Checksums-Sha1: 
 d5d2bc37265f8a61ec4755b637f5bfe791c461bf 1824 kolab-cyrus-imapd_2.2.13-5.1.dsc
 b4aaf55ba5d2e4dc26cd93563235a76c67e9daea 257486 kolab-cyrus-imapd_2.2.13-5.1.diff.gz
 1d6ed03bcaf64803be1ab984fbc2b67951030416 83414 kolab-cyrus-admin_2.2.13-5.1_all.deb
 225910dc2ce0ac9591a70d46a0a0650f1ed29726 5564956 kolab-cyrus-common_2.2.13-5.1_i386.deb
 bb8e83ad0c6b99fae00863cac0afa9f1807cf7f3 915222 kolab-cyrus-imapd_2.2.13-5.1_i386.deb
 16c6e7af85d4e7e8118377336f1bcd2344c154f0 273410 kolab-cyrus-pop3d_2.2.13-5.1_i386.deb
 4c69477925ccd21edc1a7b07df8a809d29a160bc 132220 kolab-cyrus-clients_2.2.13-5.1_i386.deb
 21beedb2b6a3db3ec89780685252896393b3ad52 180944 kolab-libcyrus-imap-perl_2.2.13-5.1_i386.deb
Checksums-Sha256: 
 e9b9e5cce0f7090a390f64fd37875213ecefb2c710fb1984d5c06b3b756dd9ed 1824 kolab-cyrus-imapd_2.2.13-5.1.dsc
 71496540cac610ccfe108aeae5567fb355dc1b0a5031e70010c1262ae999b5c0 257486 kolab-cyrus-imapd_2.2.13-5.1.diff.gz
 58be564c4e04e2fef896628ea8876156546934fc9a1d0ebd7c89539ec62e0ec9 83414 kolab-cyrus-admin_2.2.13-5.1_all.deb
 51adf04d7a9e771c4d01706ea772360d6102ee5646d552d2e6f0093f2883a437 5564956 kolab-cyrus-common_2.2.13-5.1_i386.deb
 c9227f3f891bc5696b6ed338fb973605b032fe67e8e9fba4819e836627200a7b 915222 kolab-cyrus-imapd_2.2.13-5.1_i386.deb
 dafb4ada7adb4dcc946893d0dc2ffad916b2b32322924943ae565349adf8d455 273410 kolab-cyrus-pop3d_2.2.13-5.1_i386.deb
 4f72cd055c0cf5b8a4d4bc794751365b9ebb991e44ec3d7d307694d3afcca182 132220 kolab-cyrus-clients_2.2.13-5.1_i386.deb
 bb4dce08a9d433d48081fbb0c19efe94847ed46510d368e502a4ae6697a61e98 180944 kolab-libcyrus-imap-perl_2.2.13-5.1_i386.deb
Files: 
 b997176005ba3c712e441329a93fbcbe 1824 mail extra kolab-cyrus-imapd_2.2.13-5.1.dsc
 bbd1fccb66f0089e586a7de79d0c051b 257486 mail extra kolab-cyrus-imapd_2.2.13-5.1.diff.gz
 d7d788e3187d8efed81899d07561342e 83414 mail extra kolab-cyrus-admin_2.2.13-5.1_all.deb
 db297cb430f4764405e17b255a9aa7f2 5564956 mail extra kolab-cyrus-common_2.2.13-5.1_i386.deb
 d63d25c4e8043aa83685ef71337b8cbf 915222 mail extra kolab-cyrus-imapd_2.2.13-5.1_i386.deb
 828617ad9d7ea8871ae278913d586aff 273410 mail extra kolab-cyrus-pop3d_2.2.13-5.1_i386.deb
 e93e8a8d96e4da6bbcb7204fb5cd1ac2 132220 mail extra kolab-cyrus-clients_2.2.13-5.1_i386.deb
 85c951cf74f8813eb72baee4ca37374d 180944 perl extra kolab-libcyrus-imap-perl_2.2.13-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrHuDcACgkQNxpp46476aq2TwCfdEo+vknZLln66B6RpEKrvGyY
F8cAn2fq8YFIkb04RE/Ww531C0HXPGJJ
=lsq9
-----END PGP SIGNATURE-----





Reply sent to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility. (Sun, 04 Oct 2009 17:00:04 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 04 Oct 2009 17:00:04 GMT) Full text and rfc822 format available.

Message #25 received at 547712-close@bugs.debian.org (full text, mbox):

From: Mathieu Parent <sathieu@debian.org>
To: 547712-close@bugs.debian.org
Subject: Bug#547712: fixed in kolab-cyrus-imapd 2.2.13-6
Date: Sun, 04 Oct 2009 16:46:25 +0000
Source: kolab-cyrus-imapd
Source-Version: 2.2.13-6

We believe that the bug you reported is fixed in the latest version of
kolab-cyrus-imapd, which is due to be installed in the Debian FTP archive:

kolab-cyrus-admin_2.2.13-6_all.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-admin_2.2.13-6_all.deb
kolab-cyrus-clients_2.2.13-6_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-clients_2.2.13-6_i386.deb
kolab-cyrus-common_2.2.13-6_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-common_2.2.13-6_i386.deb
kolab-cyrus-imapd_2.2.13-6.diff.gz
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-6.diff.gz
kolab-cyrus-imapd_2.2.13-6.dsc
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-6.dsc
kolab-cyrus-imapd_2.2.13-6_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-6_i386.deb
kolab-cyrus-pop3d_2.2.13-6_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-cyrus-pop3d_2.2.13-6_i386.deb
kolab-libcyrus-imap-perl_2.2.13-6_i386.deb
  to pool/main/k/kolab-cyrus-imapd/kolab-libcyrus-imap-perl_2.2.13-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 547712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated kolab-cyrus-imapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 Oct 2009 14:56:07 +0200
Source: kolab-cyrus-imapd
Binary: kolab-cyrus-common kolab-cyrus-imapd kolab-cyrus-pop3d kolab-cyrus-admin kolab-cyrus-clients kolab-libcyrus-imap-perl
Architecture: source all i386
Version: 2.2.13-6
Distribution: unstable
Urgency: low
Maintainer: Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description: 
 kolab-cyrus-admin - Kolab Cyrus mail system - administration tools
 kolab-cyrus-clients - Kolab Cyrus mail system (test clients)
 kolab-cyrus-common - Kolab Cyrus mail system - common files
 kolab-cyrus-imapd - Kolab Cyrus mail system - IMAP support
 kolab-cyrus-pop3d - Kolab Cyrus mail system - POP3 support
 kolab-libcyrus-imap-perl - Kolab Interface to Cyrus imap client imclient library
Closes: 547712
Changes: 
 kolab-cyrus-imapd (2.2.13-6) unstable; urgency=low
 .
   * Synced against cyrus-imapd package
   * Fix and acknowledge NMU for "CVE-2009-2632: Buffer overflow in the SIEVE
     script component" (Closes: #547712)
   * Added me as uploader
   * debian/control:
     - Prefix packages descriptions by "Kolab "
     - Conflicts, Replaces and Provides corresponding cyrus-imapd-2.2 packages
     - Added Recommends and Suggests (based on cyrus-imapd-2.2)
   * Get closer to cyrus-imapd-2.2: cyrus.conf
Checksums-Sha1: 
 07402079e46c0b4ba4c2e5737eac319da815c1c9 1873 kolab-cyrus-imapd_2.2.13-6.dsc
 5d38bffc9626d92a9d80022e006e939fad6b1406 258242 kolab-cyrus-imapd_2.2.13-6.diff.gz
 7ec59870370d042cac9a5421679db0d790e041bc 84768 kolab-cyrus-admin_2.2.13-6_all.deb
 44df768d77d90839ae1cdfb1a8f61f02ffee58b8 5566174 kolab-cyrus-common_2.2.13-6_i386.deb
 b798e5c6a9b960bedf4e6f060163e56d6b652a22 915256 kolab-cyrus-imapd_2.2.13-6_i386.deb
 0bdecc6209ead5c38a5bf4c3820d73149b122355 273814 kolab-cyrus-pop3d_2.2.13-6_i386.deb
 d4d689144c93e349191014fa54bbd3e5c61d7b64 133334 kolab-cyrus-clients_2.2.13-6_i386.deb
 27a6bd7590faed88f3d7561897552d8e804ec2ce 182716 kolab-libcyrus-imap-perl_2.2.13-6_i386.deb
Checksums-Sha256: 
 c6f0ccb656c0f1f1f0d46e59b608b7892cde47a45b9c0587f5de6019b93692ed 1873 kolab-cyrus-imapd_2.2.13-6.dsc
 70e6859fc2b3f5e076f8e7b831e6b1241725aff9259dc30700a0dd31c398e9fc 258242 kolab-cyrus-imapd_2.2.13-6.diff.gz
 9308140ee50c6ac7521e5bcab40ae158ad56c595c34ffe339672ed042c16d789 84768 kolab-cyrus-admin_2.2.13-6_all.deb
 7c979d03e2b3d6173544da4936f0204e3ca7a6fa6a0b2bcb1dce868b43681c62 5566174 kolab-cyrus-common_2.2.13-6_i386.deb
 91791b982dc277569e4343e4b6a7ab0e68a43d3d5035f3464c611804bfa2ce54 915256 kolab-cyrus-imapd_2.2.13-6_i386.deb
 78ee7ac98801474d9f5512e2202d6f5eba92c0b74127dc42ce1d7137b299792e 273814 kolab-cyrus-pop3d_2.2.13-6_i386.deb
 eb3f365c365cb590c7a848a5648e8134b93618348184a42350ba17ff4f7c8021 133334 kolab-cyrus-clients_2.2.13-6_i386.deb
 f5bc9fb5228c83ba87737d48841c1d0a567a5e35066e94d2bc3c948c90909212 182716 kolab-libcyrus-imap-perl_2.2.13-6_i386.deb
Files: 
 85f6694ef0fb2fcb46b98bf413a814be 1873 mail extra kolab-cyrus-imapd_2.2.13-6.dsc
 292edc68321074d53f5f78b0ffbb51e1 258242 mail extra kolab-cyrus-imapd_2.2.13-6.diff.gz
 026eb884e026184bb9e87bb9aeff986f 84768 mail extra kolab-cyrus-admin_2.2.13-6_all.deb
 87c4c2d28958e2974630fd97ca6ba641 5566174 mail extra kolab-cyrus-common_2.2.13-6_i386.deb
 18e8dde6371979d1a9af9178eea87ab7 915256 mail extra kolab-cyrus-imapd_2.2.13-6_i386.deb
 77cbda14f110e4d2a027d7ad3c7d20b9 273814 mail extra kolab-cyrus-pop3d_2.2.13-6_i386.deb
 6deac4b59d07fde26bfdb91656064730 133334 mail extra kolab-cyrus-clients_2.2.13-6_i386.deb
 a0539262fe72726abea544155be7619f 182716 perl extra kolab-libcyrus-imap-perl_2.2.13-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrIvw4ACgkQOW2jYf5fHX9X+gCeMEZiohN12Ri2txcrUQgGdpN5
53MAnA/d1H+Q/QeyZVayCSOhvRey6gYr
=+PmU
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:28:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:07:23 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.