Intro ----- up-imapproxy is an IMAP proxy which keeps connections open after client has logged out, and reuses it when client connects back. This is mostly useful for webmail-type clients. Summary ------- There are various bugs in up-imapproxy which can crash it. Since up-imapproxy runs in a single process with each connection handled in a separate thread, any crash kills all the connections and stops listening for new ones. In 64bit systems it might be possible to make it leak data (mails, passwords, ..) from other connections to attacker's connection. However I don't think up-imapproxy actually works in any 64bit system so this is just a theoretical problem. I'd also advise against using it's SELECT-cache feature (disabled by default), since its design is fundementally broken. It may cause random problems with clients if the same mailbox is opened by multiple clients, or if the mailbox is modified behind up-imapproxy. Details ------- Literal sizes were stored in a signed long integer. I wonder why since pretty much everything else was stored in unsigned integers.. Luckily this doesn't actually cause any buffer overflows in 32bit systems. With 64bit systems it would have allowed reading the buffer past it's boundaries (and thus possibly going into memory allocated by other connections). IMAP_Line_Read() allows literals, but it's used in some places where literals aren't expected. Any misuse will kill the proxy. One example is user/password in AUTHENTICATE LOGIN. If literal is given to unknown command, it's not properly handled. For example next command after "x foo {5}" kills the proxy. strncpy() is assumed to NUL-terminate the strings. I didn't see this causing any real problems though. Workaround ---------- Don't give direct IMAP access to up-imapproxy. It shouldn't be possible to exploit these bugs via webmails. Fix --- Author seems to have gone away. I tried sending a few emails over a month ago with no reply. Its web site is currently broken too. I don't really like saying "no fix available", so I wrote a patch which fixes the above problems. There might still be some problems left though. Note that I did only minimal testing with the patch.
Created attachment 43559 [details, diff] up-imapproxy-dos.patch Patch from advisory
net-mail, please verify and apply patch.
lewk, I can't get the patch to apply cleanly, and I'm really pushed for time to test it all at the moment. Since upstream is dead and a few other packages do the same job, myself and Tuan think that a package.mask might be best. Any opposition?
Tom, The patch is incomplete, and there are many flaws in it. I've contacted the writer of the patch to see if he has fixed these issues. Since we have a semi-working patch in our hands, we should try to get that working before we go ahead an package.mask it. That should be our last resort.
Nevermind, upstream is alive again and 1.2.3rc2 has been released to fix these issues. Tom, please bump.
Okay, bumped in CVS. Thanks Luke.
Thx Tom. Please do not close security bugs. x86 please mark 1.2.3_rc2 stable.
x86 done..
This is a C4 closing without GLSA.
Sorry about that, for a minute I thought it was just the theoretical vulnerability on 64 bit systems that was the problem.
*** Bug 72463 has been marked as a duplicate of this bug. ***
Changed from C4 -> B3. Security, please vote on glsa!
We'll assume this proxy use is mostly internal or even loopbacked, so it's not a likely DoS target, so I would vote no GLSA. "imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible."
I agree again, no GLSA on this one.
I shouldn't dig out the dead bugs.
