Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94053 - net-mail/mailutils various vulnerabilities (format string, DoS, buffer overflow...)
Summary: net-mail/mailutils various vulnerabilities (format string, DoS, buffer overfl...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High blocker (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-26 02:51 UTC by Stefan Cornelius (RETIRED)
Modified: 2006-11-04 13:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2005-05-26 02:51:24 UTC
3 bugs in imap4d-server, 2 of them allow remote code execution.
1 bug in another tool, also allowing remote code execution.

GNU Mailutils 0.6 imap4d Format String Vulnerability
GNU Mailutils 0.6 imap4d FETCH Commad Resource Consumption DoS Vulnerability
GNU Mailutils 0.6 imap4d fetch_io Heap overflow Vulnerability
GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability

http://www.idefense.com/application/poi/display?id=246&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=247&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=248&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=249&type=vulnerabilities
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 05:01:02 UTC
net-mail: Please bump to 0.6.90 which fixes these issues.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 05:34:01 UTC
Looks like remote root to me in default config, so we are kinda in a hurry now.
ferdy is looking if the 0.6.90 is not too-much-of-an-alpha version.
Comment 3 Fernando J. Pereda (RETIRED) gentoo-dev 2005-05-26 09:34:51 UTC
Backported the patches to 0.6, commited as 0.6-r1. Had to drop ~alpha keyword

Cheers,
Ferdy
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-05-27 00:35:35 UTC
alpha: could you have a look on what it doesn't compile ?
Given the impact, we might release the GLSA today so if it can meet ~alpha in
the meantime, all the better...
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-05-27 00:45:03 UTC
Got the go-ahead from kloeri, this is ready for GLSA
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-05-27 04:48:10 UTC
Thanks everyone, GLSA 200505-20 is out
Comment 7 Jordi Mallach 2005-05-27 05:05:21 UTC
ferdy, I'm the Debian maintainer. Have a look at
http://svn.debian.org/wsvn/pkg-mailutils/trunk/debian/patches/04_imap4d_ulong_max.patch?op=file&rev=0&sc=0
for a patch for 64 bit architectures.

Basically, you'd have to add that to your backport (I'm assuming you dropped
alpha because it fails to run the testsuite successfully).

Contact me at jordi@debian.org if you need more.