FreshPorts - VuXML

The Cyrus IMAP Server ChangeLog states:

Fixed CERT VU#336053 - Potential buffer overflow in Sieve.

gt 2.2.0 lt 2.2.13_6

gt 2.3.0 lt 2.3.14_2

Due to a bug within the argument parser of the partial command an argument like "body[p" will be wrongly detected as "body.peek". Because of this the bufferposition gets increased by 10 instead of 5 and could therefore point outside the allocated memory buffer for the rest of the parsing process. In imapd versions prior to 2.2.7 the handling of "body" or "bodypeek" arguments was broken so that the terminating ']' got overwritten by a '\0'. Combined the two problems allow a potential attacker to overwrite a single byte of malloc() control structures, which leads to remote code execution if the attacker successfully controls the heap layout.

< 2.1.17

ge 2.2.* le 2.2.6

To support MULTIAPPENDS the cmd_append handler uses the global stage array. This array is one of the things that gets destructed when the fatal() function is triggered. When the Cyrus IMAP code adds new entries to this array this is done with the help of the postfix increment operator in combination with memory allocation functions. The increment is performed on a global variable counting the number of allocated stages. Because the memory allocation function can fail and therefore internally call fatal() this construct is undefined arcording to ANSI C. This means that it is not clearly defined if the numstage counter is already increased when fatal() is called or not. While older gcc versions increase the counter after the memory allocation function has returned, on newer gcc versions (3.x) the counter gets actually increased before. In such a case the stage destructing process will try to free an uninitialised and maybe attacker supplied pointer. Which again could lead to remote code execution. (Because it is hard for an attacker to let the memory allocation functions fail in the right moment no PoC code for this problem was designed)

ge 2.2.7 le 2.2.8

In December 2002, Timo Sirainen reported:

Cyrus IMAP server has a remotely exploitable pre-login buffer overflow. [...] Note that you don't have to log in before exploiting this, and since Cyrus runs everything under one UID, it's possible to read every user's mail in the system.

It is unknown whether this vulnerability is exploitable for code execution on FreeBSD systems.

< 2.0.17

ge 2.1 lt 2.1.11

When the option imapmagicplus is activated on a server the PROXY and LOGIN commands suffer a standard stack overflow, because the username is not checked against a maximum length when it is copied into a temporary stack buffer. This bug is especially dangerous because it can be triggered before any kind of authentification took place.

ge 2.2.4 le 2.2.8

The Cyrus IMAP Server ChangeLog states:

• Fix possible single byte overflow in mailbox handling code.
• Fix possible single byte overflows in the imapd annotate extension.
• Fix stack buffer overflows in fetchnews (exploitable by peer news server), backend (exploitable by admin), and in imapd (exploitable by users though only on platforms where a filename may be larger than a mailbox name).

The 2.1.X series are reportedly only affected by the second issue.

These issues may lead to execution of arbitrary code with the permissions of the user running the Cyrus IMAP Server.

< 2.1.18

gt 2.2.* lt 2.2.11

The argument parser of the fetch command suffers a bug very similiar to the partial command problem. Arguments like "body[p", "binary[p" or "binary[p" will be wrongly detected and the bufferposition can point outside of the allocated buffer for the rest of the parsing process. When the parser triggers the PARSE_PARTIAL macro after such a malformed argument was received this can lead to a similiar one byte memory corruption and allows remote code execution, when the heap layout was successfully controlled by the attacker.

< 2.1.17

ge 2.2.* le 2.2.8