Summary: | net-mail/cyrus-imapd < 2.3.9-r1 Quota calculation integer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tuan Van (RETIRED) <langthang> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | brenden, ct, dertobi123, maintainer-needed, net-mail+disabled | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Other | ||||||
URL: | https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2690 | ||||||
Whiteboard: | B3 [noglsa] DerCorny | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 201684 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tuan Van (RETIRED)
2006-08-04 10:04:47 UTC
one could argue about the security impact, but this could be interpreted as some kind of DoS due to disk consumption. net-mail, please apply the patch from the upstream bug and bump the ebuild, thx. patch applied in cyrus-imapd-2.2.12-r5 . Security, now back to you. thanks, Tuan (In reply to comment #2) > patch applied in cyrus-imapd-2.2.12-r5 . Security, now back to you. > um, the patch attached to upstream bug isn't complete. I put cyrus-imapd-2.2.12-r5 in package.mask for now. Will wait for upstream response to that bug. any news on this one? net-mail any news on this one? (In reply to comment #3) > (In reply to comment #2) > > patch applied in cyrus-imapd-2.2.12-r5 . Security, now back to you. > > > um, the patch attached to upstream bug isn't complete. I put > cyrus-imapd-2.2.12-r5 in package.mask for now. Will wait for upstream response > to that bug. > The last attachment on that bug (https://bugzilla.andrew.cmu.edu/attachment.cgi?id=456&action=view) appears to apply cleanly and also works for me. Installed here, compiled cleanly and seems to work properly. At least it removed our quota problem. net-mail please advise regarding https://bugzilla.andrew.cmu.edu/attachment.cgi?id=456&action=view , thanks "Opened: 2006-08-04 10:04 -0800" net-mail??? net-mail, any news here? (In reply to comment #6) > The last attachment on that bug > (https://bugzilla.andrew.cmu.edu/attachment.cgi?id=456&action=view) appears to > apply cleanly and also works for me. I'll commit 2.2.12-r6 which includes this patch soon. Created attachment 125626 [details, diff]
2.2.12-2.2.13-64bit-quotas.diff
Changes in attached diff are necessary to get this patch to apply and compile w/ 2.2.13 - can someone from security please verify that the patch for 2.2.13 is still correct?
(In reply to comment #12) > Created an attachment (id=125626) [edit] > 2.2.12-2.2.13-64bit-quotas.diff > > Changes in attached diff are necessary to get this patch to apply and compile > w/ 2.2.13 - can someone from security please verify that the patch for 2.2.13 > is still correct? > What needs to be checked exactly? (In reply to comment #13) > (In reply to comment #12) > > Created an attachment (id=125626) [edit] > > 2.2.12-2.2.13-64bit-quotas.diff > > > > Changes in attached diff are necessary to get this patch to apply and compile > > w/ 2.2.13 - can someone from security please verify that the patch for 2.2.13 > > is still correct? > > > > What needs to be checked exactly? > *ping* Besides the mentioned patch this is also fixed in upstream Cyrus-2.3, once we have 2.3 stable (2.3.9-r1 is a candidate for stabilization in early January per bug #201684) this bug can also be considered fixed then. I believe you refer to this changelog entry? "Support 64-bit quota usage (both per mailbox and for the entire quotaroot), based on a patch from Jeremy Rumpf. Development sponsored by FastMail." If that is the case, we have a vote here. It's a NO for me. no too, and closing. |