Bug 630684 (CVE-2017-14230)

Summary:	<net-mail/cyrus-imapd-3.0.4: use of uninitialized memory causes either denial of service or information leak
Product:	Gentoo Security	Reporter:	Aleksandr Wagner (Kivak) <alwag>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gustavo, maintainer-needed, net-mail+disabled
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:	=net-mail/cyrus-imapd-3.0.4 =dev-libs/xapian-1.4.4 hppa ppc ppc64 =dev-libs/xapian-bindings-1.4.4 hppa ppc ppc64 =app-text/xapian-omega-1.4.4 hppa ppc ppc64	Runtime testing required:	No

Description Aleksandr Wagner (Kivak) 2017-09-11 14:45:29 UTC

CVE-2017-14230 (https://nvd.nist.gov/vuln/detail/CVE-2017-14230):

In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix calculation for the LIST command caused use of uninitialized memory, which might allow remote attackers to obtain sensitive information or cause a denial of service (daemon crash) via a 'LIST "" "Other Users"' command.

References:

https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79
https://github.com/cyrusimap/cyrus-imapd/issues/2132
https://lists.andrew.cmu.edu/pipermail/cyrus-announce/2017-September/000145.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.4.html

Comment 1 D'juan McDonald (domhnall) 2017-09-12 00:13:24 UTC

@arches, please test and mark stable as 3.0.4 is already in tree. 

@kivak, apologies to you sir, I missed the 'before' version part. Thanks for pointing this out!

Comment 2 Yury German Gentoo Infrastructure

2017-09-15 16:23:12 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 3 Stabilization helper bot gentoo-dev

2017-10-08 19:00:52 UTC

An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad net-mail/cyrus-imapd/cyrus-imapd-3.0.4.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=dev-libs/xapian-1.4.0']
> dependency.bad net-mail/cyrus-imapd/cyrus-imapd-3.0.4.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=dev-libs/xapian-1.4.0']
> dependency.bad net-mail/cyrus-imapd/cyrus-imapd-3.0.4.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['>=dev-libs/xapian-1.4.0']

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-13 15:05:55 UTC

x86 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-15 21:34:58 UTC

ppc64 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-16 23:29:18 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-10-25 09:32:03 UTC

amd64 stable

Comment 8 Gustavo Zacarias 2017-10-26 10:28:14 UTC

Has bug #604466 been addressed?
It makes cyrus-imapd completely unusable in any non-trivial configuration.

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-26 19:07:48 UTC

hppa stable

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2018-01-15 16:12:12 UTC

@maintainer(s), please clean or mask the vulnerable versions.

Comment 11 Larry the Git Cow gentoo-dev

2018-01-22 13:50:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0394e840f16921bebb2eefbf30acc7073ca348a1

commit 0394e840f16921bebb2eefbf30acc7073ca348a1
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2018-01-22 13:49:20 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2018-01-22 13:49:20 +0000

    package.mask: mask vulnerable net-mail/cyrus-imapd-2.5 releases
    
    Masked versions will be removed in 30 days
    Bug: https://bugs.gentoo.org/630684

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)}

Comment 12 Tony Vroon (RETIRED) gentoo-dev

2018-03-09 10:44:19 UTC

(In reply to Gustavo Zacarias from comment #8)
> Has bug #604466 been addressed?
> It makes cyrus-imapd completely unusable in any non-trivial configuration.

It has not, and we have just masked off the last working release. Can we please, please stable 3.0.5 instead?

Comment 13 Eray Aslan gentoo-dev

2018-03-09 10:49:24 UTC

(In reply to Tony Vroon from comment #12)
> It has not, and we have just masked off the last working release. Can we
> please, please stable 3.0.5 instead?

Submitted:
https://bugs.gentoo.org/649996

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2018-11-24 23:06:09 UTC

GLSA Vote: No.


Bug will remain open to track cleanup (once maintainer is comfortable dropping it)

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2019-03-26 20:17:20 UTC

tree is clean