553660 – <mail-mta/courier-0.75.0: out of bounds memory access

Bug 553660 - <mail-mta/courier-0.75.0: out of bounds memory access

Summary: <mail-mta/courier-0.75.0: out of bounds memory access

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://blog.fuzzing-project.org/17-C...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-06-30 18:21 UTC by Hanno Böck
Modified:	2016-06-22 03:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2015-06-30 18:21:22 UTC

I discovered two out of bounds memory access issues in courier by checking it with address sanitizer. This is one of the cases where I'm not really sure if there's a security issue or not, but for safety I'd like to handle it as such. Here's the background on the found issues:
https://blog.fuzzing-project.org/17-Courier-mail-server-Write-heap-overflow-in-mailbot-tool-and-out-of-bounds-heap-read-in-imap-folder-parser.html

Archs, can you please stabilize courier 0.75.0 and dependencies?
=net-libs/courier-unicode-1.3
=net-libs/courier-authlib-0.66.3
=mail-mta/courier-0.75.0

To the alpha, hppa, ia64 and sparc teams: Your keywords have been dropped when the courier-unicode dep was introduced (rekeywording request in #532520). I will drop the old courier versions, if you want to keep a keyworded version please rekeyword. But I'm also fine with not supporting exotic archs.

Comment 1 Agostino Sarubbo gentoo-dev

2015-07-01 07:33:30 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2015-07-01 07:33:53 UTC

x86 stable

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2015-07-02 05:04:57 UTC

Stable for HPPA.

Comment 4 Agostino Sarubbo gentoo-dev

2015-07-03 08:56:41 UTC

alpha stable

Comment 5 Agostino Sarubbo gentoo-dev

2015-07-23 09:01:51 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2015-07-23 09:35:57 UTC

sparc stable

Comment 7 Mikle Kolyada (RETIRED) archtester

2015-07-31 10:27:24 UTC

ia64 stable

Comment 8 Yury German Gentoo Infrastructure

2015-08-10 14:44:39 UTC

Arches, Thank you for your work.

Security Please Vote
First GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Hanoo, was CVE ever assigned. I could not find it (http://seclists.org/oss-sec/2015/q2/817)

Comment 9 Hanno Böck gentoo-dev

2015-09-29 04:13:53 UTC

As I already wrote it's highly unclear if this has any security impact at all, and I think CVEers decided not to assign one.
Therefore I think no GLSA needed and we're done here.

Comment 10 Yury German Gentoo Infrastructure

2015-10-10 02:58:28 UTC

(In reply to Hanno Boeck from comment #9)
> Therefore I think no GLSA needed and we're done here.

As per Hanno who found the vulnerability, no GLSA.

Maintainer(s), please drop the vulnerable version(s).

Comment 11 Yury German Gentoo Infrastructure

2015-12-20 19:29:58 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 12 Yury German Gentoo Infrastructure

2016-04-26 07:38:25 UTC

Please clean up vulnerable packages:
=mail-mta/courier-{0.71,0.74.0,0.74.1,0.74.1-r1}

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2016-06-11 11:05:05 UTC

Please clean.

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2016-06-21 06:15:27 UTC

Please clean or let us know why the old packages need to stay.

Comment 15 Hanno Böck gentoo-dev

2016-06-21 14:10:02 UTC

I removed all vulnerable versions now.

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2016-06-22 03:40:17 UTC

(In reply to Hanno Boeck from comment #15)
> I removed all vulnerable versions now.

Thanks, Hanno!