Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 283596 (CVE-2009-2632) - <net-mail/cyrus-imapd-2.3.14-r3 buffer overflow (CVE-2009-2632)
Summary: <net-mail/cyrus-imapd-2.3.14-r3 buffer overflow (CVE-2009-2632)
Status: RESOLVED FIXED
Alias: CVE-2009-2632
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/336053
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: 285324
  Show dependency tree
 
Reported: 2009-09-03 17:22 UTC by Tobias Scherbaum (RETIRED)
Modified: 2011-10-22 04:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
config log [hppa,fail] (config.log,192.14 KB, text/plain)
2009-09-07 13:53 UTC, Jeroen Roovers (RETIRED)
no flags Details
emerge --info [hppa] (emerge.info-elmer,6.06 KB, text/plain)
2009-09-14 19:15 UTC, Jeroen Roovers (RETIRED)
no flags Details
revised fix-db-rpath patch (cyrus-imapd-2.3.14-fix-db-rpath.patch,1.22 KB, patch)
2009-09-18 02:40 UTC, Jeroen Roovers (RETIRED)
no flags Details | Diff
Correct whitespace, file paths (cyrus-imapd-2.3.14-fix-db-rpath.patch,1.26 KB, patch)
2009-09-18 02:45 UTC, Jeroen Roovers (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Scherbaum (RETIRED) gentoo-dev 2009-09-03 17:22:41 UTC
See mail below from Bron Gondwana <brong@fastmail.fm>. This issue is semi-public (patch committed to public scm repository, not published yet). I'll bump to 2.3.14-r3 soonish and like to see this version marked as stable.


##-->

Hi,

I'm emailing you to give you a heads-up because you maintain packages
of the Cyrus email server.  CMU will be making an announcement once
they've got new packages ready to go.

I discovered a buffer overflow bug in sieve that one of our users
accidentally triggered, but which looks easily exploitable by anyone
who can create a sieve script and cause it to be executed.

I'll paste in the content of the advisory that I wrote up for CMU,
and the patch (which you will also see has been applied to CVS for
both 2.3 and 2.2)

If you can think of any other maintainers who need to be told, let
me know!  I've got redhat, debian, freebsd and gentoo here I think,
plus Simon who maintains his own separate RPM set.  I couldn't
figure out who in the Solaris world to contact.

Regards,

Bron.

================

Incorrect use of sizeof() on a character pointer rather than a
character buffer caused negative lengths to be passed to snprintf,
which were then converted to unsigned values, meaning that the
snprintf statements were effectively unbounded.

A sieve script containing either a single long rejection message or
a large enough number of shorter actions causes the action_string
buffer to overflow by an arbitrary amount when processing an incoming
email.  The content of the overflow is entirely determinable by the
author of the sieve script.  The content of the incoming email has
no influence on the exploit other than determining which sieve rules
are executed.  The exploit is only influenced by the content of the
sieve script.

While it is trivial for a user message to cause a crash, an exploit
would require an authenticated user to be actively malicious, so
random emails from the internet are not a risk if none of your users
have created sieve scripts that can cause a large enough set of
action items to be "printed" to the actions_string variable.

This exploit allows privilege escalation by any user able to create
a sieve script and have it executed by an email delivery.  The attacker
gains full access as the "cyrus" operating system user, including the
ability to read and modify the emails of all other users on the server.

<--##
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-09-03 17:54:41 UTC
Candidate for stabilization:

=net-mail/cyrus-imapd-2.3.14-r3
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-03 18:30:13 UTC
Setting permissions.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-03 20:31:38 UTC
Arch Security Liaisons, please test the attached ebuild mark it stable. (Semi-public means you can commit to CVS)

Target keywords : "amd64 hppa ppc ppc64 sparc x86"

CC'ing current Liaisons:
   amd64 : keytoaster, chainsaw
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : armin76, tcunha
     x86 : fauli, maekke
Comment 4 Tony Vroon gentoo-dev 2009-09-07 09:51:19 UTC
+  07 Sep 2009; <chainsaw@gentoo.org> cyrus-imapd-2.3.14-r3.ebuild:
+  Marked stable on AMD64 as requested by Tobias Scherbaum
+  <dertobi123@gentoo.org> in bug #283596. Tested as a secure IMAP
+  (IMAPS/mandatory TLS) provider with inbound mail over LMTP.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-07 11:08:23 UTC
checking for prop_get in -lsasl2... no
configure: error: Cannot continue without libsasl2.

I remerge cyrus-sasl to be sure...
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-07 13:53:54 UTC
Created attachment 203366 [details]
config log [hppa,fail]

(In reply to comment #5)
> checking for prop_get in -lsasl2... no
> configure: error: Cannot continue without libsasl2.
> 
> I remerge cyrus-sasl to be sure...

That isn't the first error (but the first fatal one).
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-09-10 00:09:51 UTC
now public. Tobias, can you please look into the compile errors before we readd arches? Thanks!
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-10 09:53:31 UTC
CVE-2009-2632 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2632):
  Buffer overflow in the SIEVE script component (sieve/script.c) in
  cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14 allows local users
  to execute arbitrary code and read or modify arbitrary messages via a
  crafted SIEVE script, related to the incorrect use of the sizeof
  operator for determining buffer length, combined with an integer
  signedness error.

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-09-12 10:17:51 UTC
(In reply to comment #7)
> now public. Tobias, can you please look into the compile errors before we readd
> arches? Thanks!
> 

I can't reproduce the failure on hppa or amd64.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2009-09-13 09:02:28 UTC
(In reply to comment #9)
> (In reply to comment #7)
> > now public. Tobias, can you please look into the compile errors before we readd
> > arches? Thanks!
> > 
> 
> I can't reproduce the failure on hppa or amd64.
> 

and works for me on ppc, too. Some more information on that failures would be nice ...
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-09-13 10:07:28 UTC
There's a config.log attached to the bug, does not help? I'm ccing fauli and jer, maybe they habe some more info.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-14 19:15:20 UTC
Created attachment 204117 [details]
emerge --info [hppa]
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-18 02:07:02 UTC
Obviously something is changing LDFLAGS from this
LDFLAGS="-Wl,-O1"
to this (as it is used in the configure script):
LDFLAGS='-L/usr/lib /usr/lib -Wl,-O1'

[ebuild  N    ] net-mail/cyrus-imapd-2.3.14-r3  USE="kerberos nntp pam sieve snmp ssl tcpd -idled -kolab -replication" 0 kB

However, configure succeeds and when I choose USE="-kerberos" so that should narrow the scope of the problem quite a bit.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-18 02:40:57 UTC
Created attachment 204483 [details, diff]
revised fix-db-rpath patch

The original fix-db-rpath patch assumes that $andrew_runpath_switch = none, but that value isn't set anywhere in configure or elsewhere, so with the current patch LDFLAGS gets erroneously set to include /usr/lib, as $andrew_runpath_switch is unset:

LDFLAGS="-L$1 $andrew_runpath_switch$1 ${LDFLAGS}"

This patch removes the (unneeded) check for $andrew_runpath_switch and makes cyrus-imapd compile fine.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-18 02:45:29 UTC
Created attachment 204485 [details, diff]
Correct whitespace, file paths
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2009-09-18 12:50:02 UTC
(In reply to comment #15)
> Created an attachment (id=204485) [edit]
> Correct whitespace, file paths
> 

In CVS. Thanks! :)
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-18 17:15:57 UTC
Let's try again. Add arches?
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2009-09-18 17:28:10 UTC
(In reply to comment #17)
> Let's try again. Add arches?
> 

uhrm, yeah
Comment 19 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-19 15:18:37 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > Let's try again. Add arches?
> > 
> 
> uhrm, yeah

Stable for HPPA.
Comment 20 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-23 14:02:43 UTC
### Making all in /var/tmp/portage/net-mail/cyrus-imapd-2.3.14-r3/work/cyrus-imapd-2.3.14/imtest
make[1]: Entering directory `/var/tmp/portage/net-mail/cyrus-imapd-2.3.14-r3/work/cyrus-imapd-2.3.14/imtest'
i686-pc-linux-gnu-gcc -c -I.. -I./../lib -I../com_err/et     -DHAVE_CONFIG_H  -O2 -march=i686 -pipe imtest.c
imtest.c: In function ‘main’:
imtest.c:2529: error: ‘tls_conn’ undeclared (first use in this function)
imtest.c:2529: error: (Each undeclared identifier is reported only once
imtest.c:2529: error: for each function it appears in.)
imtest.c:2531: error: ‘SSL_SENT_SHUTDOWN’ undeclared (first use in this function)
imtest.c:2531: error: ‘SSL_RECEIVED_SHUTDOWN’ undeclared (first use in this function)
make[1]: *** [imtest.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-mail/cyrus-imapd-2.3.14-r3/work/cyrus-imapd-2.3.14/imtest'
make: *** [all] Error 1

This is without USE=ssl.
Comment 21 Brent Baude (RETIRED) gentoo-dev 2009-09-25 18:07:23 UTC
ppc64 done
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2009-10-19 16:51:39 UTC
(In reply to comment #20)
> ### Making all in
> /var/tmp/portage/net-mail/cyrus-imapd-2.3.14-r3/work/cyrus-imapd-2.3.14/imtest
> make[1]: Entering directory
> `/var/tmp/portage/net-mail/cyrus-imapd-2.3.14-r3/work/cyrus-imapd-2.3.14/imtest'
> i686-pc-linux-gnu-gcc -c -I.. -I./../lib -I../com_err/et     -DHAVE_CONFIG_H 
> -O2 -march=i686 -pipe imtest.c
> imtest.c: In function ‘main’:
> imtest.c:2529: error: ‘tls_conn’ undeclared (first use in this function)
> imtest.c:2529: error: (Each undeclared identifier is reported only once
> imtest.c:2529: error: for each function it appears in.)
> imtest.c:2531: error: ‘SSL_SENT_SHUTDOWN’ undeclared (first use in this
> function)
> imtest.c:2531: error: ‘SSL_RECEIVED_SHUTDOWN’ undeclared (first use in this
> function)
> make[1]: *** [imtest.o] Error 1
> make[1]: Leaving directory
> `/var/tmp/portage/net-mail/cyrus-imapd-2.3.14-r3/work/cyrus-imapd-2.3.14/imtest'
> make: *** [all] Error 1
> 
> This is without USE=ssl.
> 

That's a regression?
Comment 23 Markus Meier gentoo-dev 2009-11-16 22:57:35 UTC
(In reply to comment #22)
> That's a regression?

you should know that =)
no it's not a regression.

Comment 24 Tobias Scherbaum (RETIRED) gentoo-dev 2009-11-17 18:06:57 UTC
(In reply to comment #23)
> (In reply to comment #22)
> > That's a regression?
> 
> you should know that =)
> no it's not a regression.
> 

If it's not a regression it's ok to ignore this issue for now and get this one marked as stable *now*. It's still a security issue ...
Comment 25 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-18 18:00:31 UTC
x86 stable then.
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2009-12-13 12:28:21 UTC
sparc stable
Comment 27 Joe Jezak (RETIRED) gentoo-dev 2009-12-27 09:37:04 UTC
Marked ppc stable.
Comment 28 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-11 20:38:28 UTC
GLSA request filed.
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 04:34:06 UTC
This issue was resolved and addressed in
 GLSA 201110-16 at http://security.gentoo.org/glsa/glsa-201110-16.xml
by GLSA coordinator Tim Sammut (underling).