SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Cyrus IMAP Server Vendors:   Carnegie Mellon University
Cyrus IMAPd Buffer Overflows in Annotate Extension, Cached Header, and Fetchnews May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013278
SecurityTracker URL:  http://securitytracker.com/id/1013278
CVE Reference:   CAN-2005-0546   (Links to External Site)
Updated:  May 17 2005
Original Entry Date:  Feb 24 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.2.11
Description:   Some buffer overflow vulnerabilities were reported in Cyrus IMAPd. A remote authenticated user may be able to execute arbitrary code.

There are some single byte buffer overflows in the imap annotate extension functions and in the processing of cached headers. A remote authenticated user can invoke these functions to trigger the buffer overflow.

There is also a buffer overflow in the fetchnews function. A news administrator on a peer news system can trigger this buffer overflow.

Sean Larsson is credited with reporting these flaws.
Impact:   A remote authenticated user may be able to execute arbitrary code on the target system with the privileges of the imap service.
Solution:   The vendor has issued a fixed version (2.2.11), available at:

ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz

http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz
Vendor URL:  asg.web.cmu.edu/cyrus/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 24 2005 (Gentoo Issues Fix) Cyrus IMAPd Buffer Overflows in Annotate Extension, Cached Header, and Fetchnews May Let Remote Users Execute Arbitrary Code   (Matthias Geerdsen <vorlon@gentoo.org>)
Gentoo has released a fix.
Mar 6 2005 (Mandrake Issues Fix) Cyrus IMAPd Buffer Overflows in Annotate Extension, Cached Header, and Fetchnews May Let Remote Users Execute Arbitrary Code   (Mandrakelinux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
May 17 2005 (Red Hat Issues Fix) Cyrus IMAPd Buffer Overflows in Annotate Extension, Cached Header, and Fetchnews May Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix.


 Source Message Contents
Date:  Mon,14 Feb 2005 02:14:44 -0500 (EST)
Subject:  CyrusIMAPd 2.2.11 Released


I'm pleased to announce the release of Cyrus IMAPd 2.2.11.  This release
implements several bugfixes, including one byte buffer overruns in the 
imap annotate extension and in cached header handling which can be run by 
any authenticated user, and bounds checking in fetchnews which could be 
exploited by a peer news admin.

It contains no new features.

A full list of changes is available in doc/changes.html in the 
distribution.

Download the release at:
ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz
or
http://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz

Thanks to Sean Larsson for the reports on the buffer overflows.

Derrick Brashear
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC