Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45584 - courier-imap <3.0.0: Courier Multiple Remote Buffer Overflow Vulnerabilities
Summary: courier-imap <3.0.0: Courier Multiple Remote Buffer Overflow Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Bryan Østergaard (RETIRED)
URL: http://www.securityfocus.com/bid/9845...
Whiteboard:
Keywords: SECURITY
Depends on:
Blocks: 45953
  Show dependency tree
 
Reported: 2004-03-24 03:55 UTC by schaedpq
Modified: 2006-11-04 14:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
klieber: Pending-


Attachments
courier-imap-3.0.2.ebuild (courier-imap-3.0.2.ebuild,7.50 KB, text/plain)
2004-03-24 11:51 UTC, Joshua J. Berry (CondorDes) (RETIRED)
Details
courier-imap-3.0.2-db40vs41.patch (courier-imap-3.0.2-db40vs41.patch,585 bytes, patch)
2004-03-24 11:53 UTC, Joshua J. Berry (CondorDes) (RETIRED)
Details | Diff
courier-imap-3.0.2-removerpm.patch (courier-imap-3.0.2-removerpm.patch,4.16 KB, patch)
2004-03-24 11:54 UTC, Joshua J. Berry (CondorDes) (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description schaedpq 2004-03-24 03:55:08 UTC
Multiple buffer overflow vulnerabilities have been identified in Courier MTA, Courier SqWebMail, and Courier-IMAP. These vulnerabilities may allow a remote attacker to execute arbitrary code on a vulnerable system in order to gain unauthorized access. 

Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.




Have a look at http://www.securityfocus.com/bid/9845/discussion/:
Multiple buffer overflow vulnerabilities have been identified in Courier MTA,
Courier SqWebMail, and Courier-IMAP. These vulnerabilities may allow a remote
attacker to execute arbitrary code on a vulnerable system in order to gain
unauthorized access.

The issues exist in the 'SHIFT_JIS' converter in 'shiftjis.c' and 'ISO2022JP'
converter in 'so2022jp.c'. An attacker may be able to exploit these issues by
supplying Unicode characters that exceed BMP (Basic Multilingual Plane) range.

These issues have been reported to affect Courier MTA 0.44.2 and prior,
Courier-IMAP 2.2.1 and prior, and Courier SqWebMail 3.6.2 and prior. It has also
been reported that the vulnerable codeset mappings may be employed by the
Courier IMAP and Webmail service, however, they are not enabled by default.

These issues are being further analyzed and this BID will be updated once
analysis is complete.


Solution would be to upgrade to courier-IMAP 3.0.0.
Comment 1 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-24 11:19:33 UTC
Courier 3.0.2 is out, so might as well just bump to that version.

I have an ebuild for this, which I am testing now.  I'll attach it here when I'm sure it works.
Comment 2 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-24 11:51:54 UTC
Created attachment 27944 [details]
courier-imap-3.0.2.ebuild

Here is the 3.0.2 ebuild.  I had to tweak two of the patches, and remove the
third. The two new patches are coming shortly.

NOTE that I have only tested the SSL imapd, and not normal IMAP or
POP3/POP3-SSL.	But the imapd-ssl seems to work fine.
Comment 3 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-24 11:53:34 UTC
Created attachment 27945 [details, diff]
courier-imap-3.0.2-db40vs41.patch

First patch.

OY. I also forgot to mention, the ebuild I attached probably should be marked
~x86.  It's marked stable right now because I tested it on my "stable" server
(ha), and forgot to change it before I submitted it.
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-24 11:54:12 UTC
Created attachment 27946 [details, diff]
courier-imap-3.0.2-removerpm.patch

Second patch.
Comment 5 Frido Ferdinand 2004-03-24 12:26:53 UTC
i've tested this on a non-production server, imap/pop3 seems to work fine, did not test -ssl variants.
Comment 6 Devon 2004-03-25 19:42:30 UTC
imap-ssl works for me on my personal mail server.
Comment 7 Tuan Van (RETIRED) gentoo-dev 2004-03-25 21:59:40 UTC
Thanks for the ebuild. pop/pop3-ssl, imap/imap-ssl work as advertise on my home server.
Comment 8 solar (RETIRED) gentoo-dev 2004-03-25 22:35:01 UTC
hrmm anybody from net-mail@ going to act on this one?

bug opened >=48hrs
I'll bump this in portage to ~arch if you guys (bug reporters) help confirm it works.
Comment 9 solar (RETIRED) gentoo-dev 2004-03-25 23:02:08 UTC
3.0.2 in portage as ~arch. 
It compiles clean over here, but it's still up to the mail herd and arch-maintainers to test & confirm if it's stable or not.

Adding them to CC by herd name for testing.
Comment 10 solar (RETIRED) gentoo-dev 2004-03-25 23:58:22 UTC
[ebuild   R   ] net-mail/courier-imap-3.0.2  +berkdb -fam +gdbm +ldap +mysql +nls +pam -postgres  0 kB

Can somebody that uses fam & postgres please test with those USE flags.
Comment 11 Seemant Kulleen (RETIRED) gentoo-dev 2004-03-26 00:29:53 UTC
works fine with +fam
Comment 12 Seemant Kulleen (RETIRED) gentoo-dev 2004-03-26 00:48:36 UTC
confirmed working with +fam +postgres
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-03-26 01:34:19 UTC
sorry about the lack of response on this from me.
i've cleaned up the ebuild a bit, and hammered on it for some testing, and it seems to be stable so I've marked it as x86.
Comment 14 Venkat Manakkal 2004-03-26 05:37:44 UTC
I just completed an update using the ebuild from http://bugs.gentoo.org/show_bug.cgi?id=45584 and then did an emerge clean -
1) /usr/lib/courier-imap/gentoo-courier-imap-*.rc were not included in the new ebuild.

2) /usr/sbin/mkimapdcert and mkpop3dcert were not installed either.

Not sure why these problems arose, but luckily I was able to copy them from an other mail server and get back online. I don't have time to debug the ebuild, but make backups of these files before an update.
Comment 15 Frido Ferdinand 2004-03-26 07:03:18 UTC
regarding #14:

did you place the ebuild inside the current courier-imap dir ? It needs a lot
of files from the existing files/ directory

as an addendum to #5, we just moved it into production (no ssl/fam/*sql), still works fine :)


Comment 16 Venkat Manakkal 2004-03-26 07:39:07 UTC
re#15

No I did not I put it in /usr/local/portage/net-mail/courier-imap/ - I will remember next time to copy the old directory there insead of creating a new one. I just did not want it overwritten by the next rsync.

I am sure that now that it is in portage things should be fine.
Comment 17 Jon Portnoy (RETIRED) gentoo-dev 2004-03-26 09:44:25 UTC
Stable on AMD64, removing from CC
Comment 18 Jason Wever (RETIRED) gentoo-dev 2004-03-26 10:28:30 UTC
Stable on sparc.
Comment 19 Guy Martin (RETIRED) gentoo-dev 2004-03-26 11:25:34 UTC
Stable on hppa. Removing CC
Comment 20 Luca Barbato gentoo-dev 2004-03-28 08:29:08 UTC
sejo bumped it on ppc as well, removing ppc from the list
Comment 21 solar (RETIRED) gentoo-dev 2004-03-28 11:11:49 UTC
This is ready for a GLSA now.
Comment 22 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 00:11:27 UTC
GLSA 200403-06 
Comment 23 Joshua Kinard gentoo-dev 2004-11-07 15:32:15 UTC
mips stable long ago.