|Summary:||net-mail/courier-imap: Remote Format String Vulnerability|
|Product:||Gentoo Security||Reporter:||Joshua J. Berry (CondorDes) (RETIRED) <condordes>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B0 [stable] condordes|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||61464|
Description Joshua J. Berry (CondorDes) (RETIRED) 2004-08-19 01:46:02 UTC
There is a format string vulnerability in the auth_debug() function which can be exploited remotely. This vulnerability can only be exploited if DEBUG_LOGIN is set to something other than 0 in the imapd config file. Courier versions 1.6.0 through 2.2.1 (inclusive) are affected.
Comment 1 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-19 02:09:32 UTC
I should emphasize that this is potentially a remote root, as courier-imapd usually runs with root privileges so that it can access users' mailboxes. robbat2, or someone from net-mail -- can you please look at the iDEFENSE advisory and tell us what you think? Will an upgrade to 3.0.x fix the problem? I know that we still have a 2.1.2 version in Portage; would it be possible to remove that? I don't think we need to do any keywording; 3.0.2 is already marked stable everywhere it counts. Security -- I am assuming that since this is a remote root, it's worthy of GLSAage, even though (a) it's for an old version, and (b) it requires debugging to be turned on. What are your thoughts?
Comment 2 Tuan Van (RETIRED) 2004-08-19 07:50:10 UTC
[quote] VI. VENDOR RESPONSE This issue has been resolved in the latest version of Courier IMAP (v3.0.7). As well, the default setting of 'DEBUG_LOGIN' is '0'. [/quote] Guess we have to bump. robbat2 is on vacation, I'll get the 3.0.7 in the tree very soon.
Comment 3 Tuan Van (RETIRED) 2004-08-19 08:55:37 UTC
> Courier versions 1.6.0 through 2.2.1 (inclusive) are affected. I've missed. I've checked authlib/debug.c from 3.0.2 to 3.0.5 and confirm that the Format String Vulnerability code have been removed. courier-imap-3.0.2.ebuild is stabled for all the arches that have stable keyword with courier-imap-2.1.2-r2.ebuild. ITW, I've removed courier-imap-2.1.2-r2.ebuild from the tree and no other action need on net-mail part or the arches team.
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-19 11:33:03 UTC
Arches: please test net-mail/courier-imap-3.0.5 and mark stable. I've gone over the different versions (I looked at 2.1.2, 3.0.2, 3.0.4 and 3.0.5). As far as I can tell, everything up through 3.0.2 (inclusive) is vulnerable. The problem is the "fprintf( stderr, buf );" line. In both 2.1.2 and 3.0.2, this is at authlib/debug.c:83. 3.0.4 is not vulnerable, but 3.0.5 is already in the tree, so we might as well bump to that. I will write the GLSA to reflect this unless someone tells me I'm being stupid. ;)
Comment 5 Pieter Van den Abeele (RETIRED) 2004-08-19 11:56:25 UTC
stable on ppc
Comment 6 Tuan Van (RETIRED) 2004-08-19 12:16:10 UTC
x86 done. remove them.
Comment 7 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-19 12:32:06 UTC
Updating status whiteboard. Thanks to everyone for responding so quickly.
Comment 8 Gustavo Zacarias (RETIRED) 2004-08-19 14:45:11 UTC
Comment 9 Danny van Dyk (RETIRED) 2004-08-19 15:23:56 UTC
Comment 10 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-19 16:23:27 UTC
Comment 11 Guy Martin (RETIRED) 2004-08-20 06:15:57 UTC
Done on hppa.
Comment 12 Robin Johnson 2004-08-24 03:51:35 UTC
sorry to reopen this, but could the following arches please see bug #61464. x86 ppc sparc hppa amd64 I'd like to get 3.0.7 as stable, since 3.0.5 has a number of issues that got fixed in 3.0.6. This is what I get for bumps for security updates while I'm on vacation.
Comment 13 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-24 11:12:19 UTC
Robin/security team -- Is it worth it to issue errata for that GLSA? For those who use OUTBOX and it doesn't work, it seems like they would just naturally try to upgrade, and if 3.0.7 is stable, everything will be fine.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-24 11:31:22 UTC
Arches please mark 3.07 stable. This is not strictly a security bug so I don't think a GLSA is needed.
Comment 15 Robin Johnson 2004-08-24 11:37:56 UTC
I'd say we don't need any errata, but we do need to get the new version in stable.
Comment 16 Pieter Van den Abeele (RETIRED) 2004-08-24 18:28:07 UTC
stable on ppc
Comment 17 Danny van Dyk (RETIRED) 2004-08-25 14:55:05 UTC
stable on amd64
Comment 18 Jason Wever (RETIRED) 2004-08-25 21:39:29 UTC
Stable on sparc.
Comment 19 SpanKY 2004-08-25 22:17:51 UTC
all arches are done
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-25 23:12:27 UTC
All done. Closing without a new GLSA