Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142817 - net-mail/cyrus-imapd < 2.3.9-r1 Quota calculation integer overflow
Summary: net-mail/cyrus-imapd < 2.3.9-r1 Quota calculation integer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.andrew.cmu.edu/show_...
Whiteboard: B3 [noglsa] DerCorny
Keywords:
Depends on: 201684
Blocks:
  Show dependency tree
 
Reported: 2006-08-04 10:04 UTC by Tuan Van (RETIRED)
Modified: 2008-01-20 10:55 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
2.2.12-2.2.13-64bit-quotas.diff (2.2.12-2.2.13-64bit-quotas.diff,1.08 KB, patch)
2007-07-22 09:41 UTC, Tobias Scherbaum (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tuan Van (RETIRED) gentoo-dev 2006-08-04 10:04:47 UTC
I am not sure about the security impact of this one. pass it to you guy for audit.

Thanks,
Tuan
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-04 10:20:14 UTC
one could argue about the security impact, but this could be interpreted as some kind of DoS due to disk consumption.

net-mail, please apply the patch from the upstream bug and bump the ebuild, thx.
Comment 2 Tuan Van (RETIRED) gentoo-dev 2006-08-04 14:06:58 UTC
patch applied in cyrus-imapd-2.2.12-r5 . Security, now back to you.

thanks,
Tuan
Comment 3 Tuan Van (RETIRED) gentoo-dev 2006-08-04 17:35:32 UTC
(In reply to comment #2)
> patch applied in cyrus-imapd-2.2.12-r5 . Security, now back to you.
> 
um, the patch attached to upstream bug isn't complete. I put cyrus-imapd-2.2.12-r5 in package.mask for now. Will wait for upstream response to that bug.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-03 08:21:03 UTC
any news on this one?
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 12:35:22 UTC
net-mail any news on this one?
Comment 6 Brenden Matthews 2006-12-23 04:31:02 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > patch applied in cyrus-imapd-2.2.12-r5 . Security, now back to you.
> > 
> um, the patch attached to upstream bug isn't complete. I put
> cyrus-imapd-2.2.12-r5 in package.mask for now. Will wait for upstream response
> to that bug.
> 

The last attachment on that bug (https://bugzilla.andrew.cmu.edu/attachment.cgi?id=456&action=view) appears to apply cleanly and also works for me.
Comment 7 Christian Theune 2007-01-08 10:32:56 UTC
Installed here, compiled cleanly and seems to work properly. At least it removed our quota problem.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:53:37 UTC
net-mail please advise regarding https://bugzilla.andrew.cmu.edu/attachment.cgi?id=456&action=view , thanks
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-26 11:32:56 UTC
"Opened: 2006-08-04 10:04 -0800"

net-mail???
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-31 09:36:41 UTC
net-mail, any news here?
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-22 09:37:23 UTC
(In reply to comment #6)
> The last attachment on that bug
> (https://bugzilla.andrew.cmu.edu/attachment.cgi?id=456&action=view) appears to
> apply cleanly and also works for me.

I'll commit 2.2.12-r6 which includes this patch soon. 

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-22 09:41:39 UTC
Created attachment 125626 [details, diff]
2.2.12-2.2.13-64bit-quotas.diff

Changes in attached diff are necessary to get this patch to apply and compile w/ 2.2.13 - can someone from security please verify that the patch for 2.2.13 is still correct?
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-06 19:51:12 UTC
(In reply to comment #12)
> Created an attachment (id=125626) [edit]
> 2.2.12-2.2.13-64bit-quotas.diff
> 
> Changes in attached diff are necessary to get this patch to apply and compile
> w/ 2.2.13 - can someone from security please verify that the patch for 2.2.13
> is still correct?
> 

What needs to be checked exactly?
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:56:51 UTC
(In reply to comment #13)
> (In reply to comment #12)
> > Created an attachment (id=125626) [edit]
> > 2.2.12-2.2.13-64bit-quotas.diff
> > 
> > Changes in attached diff are necessary to get this patch to apply and compile
> > w/ 2.2.13 - can someone from security please verify that the patch for 2.2.13
> > is still correct?
> > 
> 
> What needs to be checked exactly?
> 

*ping*
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-18 17:56:29 UTC
Besides the mentioned patch this is also fixed in upstream Cyrus-2.3, once we have 2.3 stable (2.3.9-r1 is a candidate for stabilization in early January per bug #201684) this bug can also be considered fixed then.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-01-19 23:39:22 UTC
I believe you refer to this changelog entry?
"Support 64-bit quota usage (both per mailbox and for the entire quotaroot), based on a patch from Jeremy Rumpf. Development sponsored by FastMail."

If that is the case, we have a vote here. It's a NO for me.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-20 10:55:11 UTC
no too, and closing.