(Apple Issues Fix for OS X) Cyrus IMAP 'imap magic plus' Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1013499 |
|
SecurityTracker URL: http://securitytracker.com/id/1013499
|
|
CVE Reference:
CAN-2004-1015
(Links to External Site)
|
Date: Mar 22 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.2.9 and prior versions
|
Description:
A buffer overflow vulnerability was reported in Cyrus IMAP in proxyd. A remote user can execute arbitrary code.
It is reported that the 'imap magic plus' support code contains a buffer overflow that can be triggered by a remote user prior to authentication.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
Apple has issued a fix as part of Apple Security Update 2005-003, described at:
http://docs.info.apple.com/article.html?artnum=301061
|
Vendor URL: asg.web.cmu.edu/cyrus/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 21 Mar 2005 22:37:27 -0500
Subject: http://docs.info.apple.com/article.html?artnum=301061
|
Security Update 2005-003
* Cyrus IMAP
Available for: Mac OS X Server v10.3.8
CVE-ID: CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015, CAN-2004-1067
Impact: Multiple vulnerabilities in Cyrus IMAP, including remotely exploitable
denial of service and buffer overflows.
Description: Cyrus IMAP is updated to version 2.2.12, which includes fixes for
buffer overflows in fetchnews, backend, proxyd, and imapd. Further information is
available from http://asg.web.cmu.edu/cyrus/download/imapd/changes.html.
|
|
