3 bugs in imap4d-server, 2 of them allow remote code execution. 1 bug in another tool, also allowing remote code execution. GNU Mailutils 0.6 imap4d Format String Vulnerability GNU Mailutils 0.6 imap4d FETCH Commad Resource Consumption DoS Vulnerability GNU Mailutils 0.6 imap4d fetch_io Heap overflow Vulnerability GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=246&type=vulnerabilities http://www.idefense.com/application/poi/display?id=247&type=vulnerabilities http://www.idefense.com/application/poi/display?id=248&type=vulnerabilities http://www.idefense.com/application/poi/display?id=249&type=vulnerabilities
net-mail: Please bump to 0.6.90 which fixes these issues.
Looks like remote root to me in default config, so we are kinda in a hurry now. ferdy is looking if the 0.6.90 is not too-much-of-an-alpha version.
Backported the patches to 0.6, commited as 0.6-r1. Had to drop ~alpha keyword Cheers, Ferdy
alpha: could you have a look on what it doesn't compile ? Given the impact, we might release the GLSA today so if it can meet ~alpha in the meantime, all the better...
Got the go-ahead from kloeri, this is ready for GLSA
Thanks everyone, GLSA 200505-20 is out
ferdy, I'm the Debian maintainer. Have a look at http://svn.debian.org/wsvn/pkg-mailutils/trunk/debian/patches/04_imap4d_ulong_max.patch?op=file&rev=0&sc=0 for a patch for 64 bit architectures. Basically, you'd have to add that to your backport (I'm assuming you dropped alpha because it fails to run the testsuite successfully). Contact me at jordi@debian.org if you need more.