Debian Bug report logs -
#546656
CVE-2009-3235: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
Reported by: Pascal Volk <user@localhost.localdomain.org>
Date: Mon, 14 Sep 2009 21:18:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions 1.0.rc15-2etch4, dovecot/1:1.0.15-2.3
Fixed in versions 1:1.2.1-1, dovecot/1.0.rc15-2etch5, dovecot/1:1.0.15-2.3+lenny1
Done: Giuseppe Iuculano <giuseppe@iuculano.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>
:
Bug#546656
; Package dovecot-common
.
(Mon, 14 Sep 2009 21:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Pascal Volk <user@localhost.localdomain.org>
:
New Bug report received and forwarded. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>
.
(Mon, 14 Sep 2009 21:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: dovecot-common
version: 1:1.0.15-2.3
severity: important
tags: security upstream
The CMU Sieve plugin for Dovecot v1.0/v1.1 is based on the Cyrus Sieve
library. As described in DSA 1881-1¹ there was a vulnerability.
Timo Sirainen has announced² the availability of the bug fixed versions
v1.1.7 for Dovecot v1.1 and v1.0.4 for Dovecot v1.0.
This affects also dovecot-common 1.0.rc15-2etch4 in oldstable and
dovecot-common 1:1.0.15-2.3~bpo40+1 etch-backports.
This security hole does not exits in new Sieve implementation, from
Stephan Bosch, for Dovecots v1.2 series.
Regards,
Pascal
--
1 = http://www.debian.org/security/2009/dsa-1881
2 = http://dovecot.org/list/dovecot-news/2009-September/000135.html
--
Ubuntu is an ancient African word meaning “I can’t install Debian.”
-- unknown
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>
:
Bug#546656
; Package dovecot-common
.
(Mon, 21 Sep 2009 17:50:53 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>
.
(Mon, 21 Sep 2009 17:50:54 GMT) (full text, mbox, link).
Message #10 received at 546656@bugs.debian.org (full text, mbox, reply):
Package: dovecot
Version: 1.0.rc15-2etch4
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dovecot.
CVE-2009-3235[0]:
| Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
| 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve,
| allow context-dependent attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted SIEVE script, as
| demonstrated by forwarding an e-mail message to a large number of
| recipients, a different vulnerability than CVE-2009-2632.
These are already fixed in debian unstable.
Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable and oldstable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235
http://security-tracker.debian.net/tracker/CVE-2009-3235
Patch: http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628
http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq3uhYACgkQNxpp46476arb+wCfWrHakSEdLqISPuacuz8HjMKj
nPkAnRz25JCJzXjK/WOMIlpSrwf+Sdnj
=6BRf
-----END PGP SIGNATURE-----
Changed Bug title to 'CVE-2009-3235: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot' from 'dovecot-common: Security holes in CMU Sieve plugin'
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org
.
(Mon, 21 Sep 2009 17:54:34 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org
.
(Mon, 21 Sep 2009 17:54:36 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org
.
(Mon, 21 Sep 2009 17:54:41 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 1:1.2.1-1.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org
.
(Mon, 21 Sep 2009 17:54:46 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>
:
Bug#546656
; Package dovecot-common
.
(Tue, 22 Sep 2009 06:57:02 GMT) (full text, mbox, link).
Message #21 received at 546656@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Attached please find the trivial patch for this security fix.
Don Armstrong
--
Leukocyte... I am your father.
-- R. Stevens http://www.dieselsweeties.com/archive.php?s=1546
http://www.donarmstrong.com http://rzlab.ucr.edu
[nmu_for_546656.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>
:
Bug#546656
; Package dovecot-common
.
(Tue, 22 Sep 2009 07:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Timo Sirainen <tss@iki.fi>
:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>
.
(Tue, 22 Sep 2009 07:06:05 GMT) (full text, mbox, link).
Message #26 received at 546656@bugs.debian.org (full text, mbox, reply):
On Sep 22, 2009, at 9:46 AM, Don Armstrong wrote:
> Attached please find the trivial patch for this security fix.
snprintf, not sprintf:
- sprintf(errbuf, "flag '%s': not a valid relational operation", r);
+ sprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational
operation", r);
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>
:
Bug#546656
; Package dovecot-common
.
(Tue, 22 Sep 2009 14:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Don Armstrong <don@donarmstrong.com>
:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>
.
(Tue, 22 Sep 2009 14:36:08 GMT) (full text, mbox, link).
Message #31 received at 546656@bugs.debian.org (full text, mbox, reply):
On Tue, 22 Sep 2009, Timo Sirainen wrote:
> On Sep 22, 2009, at 9:46 AM, Don Armstrong wrote:
>
> >Attached please find the trivial patch for this security fix.
>
> snprintf, not sprintf:
>
> - sprintf(errbuf, "flag '%s': not a valid relational operation", r);
> + sprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid
> relational operation", r);
>
Eek. Yes, right. I'll attach a corrected patch one I rebuild
everything again. (Or DSA can continue on with this trivial fix).
Don Armstrong
--
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence."
-- Jeremy S. Anderson
http://www.donarmstrong.com http://rzlab.ucr.edu
Information forwarded
to debian-bugs-dist@lists.debian.org, Dovecot Maintainers <jaldhar-dovecot@debian.org>
:
Bug#546656
; Package dovecot-common
.
(Tue, 22 Sep 2009 19:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Don Armstrong <don@donarmstrong.com>
:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <jaldhar-dovecot@debian.org>
.
(Tue, 22 Sep 2009 19:48:06 GMT) (full text, mbox, link).
Message #36 received at 546656@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 22 Sep 2009, Don Armstrong wrote:
> On Tue, 22 Sep 2009, Timo Sirainen wrote:
> > On Sep 22, 2009, at 9:46 AM, Don Armstrong wrote:
> >
> > >Attached please find the trivial patch for this security fix.
> >
> > snprintf, not sprintf:
> >
> > - sprintf(errbuf, "flag '%s': not a valid relational operation", r);
> > + sprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid
> > relational operation", r);
> >
>
> Eek. Yes, right. I'll attach a corrected patch one I rebuild
> everything again. (Or DSA can continue on with this trivial fix).
Please find attached patches for etch and lenny which should resolve
this issue.
Don Armstrong
--
The beauty of the DRUNKENNESS subprogram was that you could move your
intoxication level up and down at will, instead of being caught on a
relentless down escalator to bargain basement philosophy and the
parking garage.
-- Rudy von Bitter _Software_ p124
http://www.donarmstrong.com http://rzlab.ucr.edu
[etch_nmu_for_546656.diff (text/x-diff, attachment)]
[nmu_for_546656.diff (text/x-diff, attachment)]
Reply sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
You have taken responsibility.
(Mon, 05 Oct 2009 02:03:08 GMT) (full text, mbox, link).
Notification sent
to Pascal Volk <user@localhost.localdomain.org>
:
Bug acknowledged by developer.
(Mon, 05 Oct 2009 02:03:08 GMT) (full text, mbox, link).
Message #41 received at 546656-close@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Source-Version: 1.0.rc15-2etch5
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:
dovecot-common_1.0.rc15-2etch5_i386.deb
to pool/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
dovecot-imapd_1.0.rc15-2etch5_i386.deb
to pool/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
dovecot-pop3d_1.0.rc15-2etch5_i386.deb
to pool/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
dovecot_1.0.rc15-2etch5.diff.gz
to pool/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
dovecot_1.0.rc15-2etch5.dsc
to pool/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 23 Sep 2009 09:46:40 +0200
Source: dovecot
Binary: dovecot-common dovecot-pop3d dovecot-imapd
Architecture: source i386
Version: 1.0.rc15-2etch5
Distribution: oldstable-security
Urgency: high
Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description:
dovecot-common - secure mail server that supports mbox and maildir mailboxes
dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 546656
Changes:
dovecot (1.0.rc15-2etch5) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix for bufffer overflow in SIEVE filtering allowing for privilege
escalation (closes: #546656). Thanks to Don Armstrong.
Files:
69660b4d8bd4c443a9e6a445cee73ae4 1017 mail optional dovecot_1.0.rc15-2etch5.dsc
25968ea91265d9c79869fd13e1cf18a7 105496 mail optional dovecot_1.0.rc15-2etch5.diff.gz
3e11a2b0f46ce7452760264a478a07a2 1135076 mail optional dovecot-common_1.0.rc15-2etch5_i386.deb
41d4f84120825e06e41ff079dabd0429 547040 mail optional dovecot-imapd_1.0.rc15-2etch5_i386.deb
e2fe7ef8a944f84d59c4d13c2583f37f 514726 mail optional dovecot-pop3d_1.0.rc15-2etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq6NN4ACgkQ62zWxYk/rQeZiACeODKNIa2UbiRCWYw3TFvV4ULl
33gAnR8VfFFGyDyY6u+Pdhik3aNTqjj9
=MWTy
-----END PGP SIGNATURE-----
Reply sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
You have taken responsibility.
(Wed, 07 Oct 2009 08:51:07 GMT) (full text, mbox, link).
Notification sent
to Pascal Volk <user@localhost.localdomain.org>
:
Bug acknowledged by developer.
(Wed, 07 Oct 2009 08:51:08 GMT) (full text, mbox, link).
Message #46 received at 546656-close@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Source-Version: 1:1.0.15-2.3+lenny1
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:
dovecot-common_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
dovecot-dev_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
to pool/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
dovecot_1.0.15-2.3+lenny1.diff.gz
to pool/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
dovecot_1.0.15-2.3+lenny1.dsc
to pool/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 23 Sep 2009 10:10:46 +0200
Source: dovecot
Binary: dovecot-common dovecot-dev dovecot-imapd dovecot-pop3d
Architecture: source i386
Version: 1:1.0.15-2.3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description:
dovecot-common - secure mail server that supports mbox and maildir mailboxes
dovecot-dev - header files for the dovecot mail server
dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 546656
Changes:
dovecot (1:1.0.15-2.3+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix for buffer overflow in SIEVE filtering allowing for privilege
escalation (closes: #546656). Thanks to Don Armstrong.
Checksums-Sha1:
0c37e498143978de596e1c6cf6c0ff1499008ff3 1614 dovecot_1.0.15-2.3+lenny1.dsc
4e1f40e37461f848459df9dde809097fef46c376 1783347 dovecot_1.0.15.orig.tar.gz
b1004fb41e7aaca1727f930411d7daa7a85f845e 216038 dovecot_1.0.15-2.3+lenny1.diff.gz
dec2b232d78676cac8c4912f875ddcc126eadcea 1938596 dovecot-common_1.0.15-2.3+lenny1_i386.deb
7e434870a34216ca520148e2f9e19acb77e0e63b 390674 dovecot-dev_1.0.15-2.3+lenny1_i386.deb
878b4612b8095dcbf1d79b879ecc32935cfe288d 636970 dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
f7b93af63e330307f56a6ea6464dd5500bb33c3e 602896 dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Checksums-Sha256:
1b0b468b3b8f94b1dc33ce1eb1ead7cc4f554470768acc9151c724c131224e38 1614 dovecot_1.0.15-2.3+lenny1.dsc
2b4d8720d5f5868d57df294350ee0f5a8d2723e9937dab1eea2084478ace9597 1783347 dovecot_1.0.15.orig.tar.gz
5c2e442f1a0ecf9368c313f67035b6606ab4edb7e06f47d5f11f13ff7e516492 216038 dovecot_1.0.15-2.3+lenny1.diff.gz
6e33a05cb4115ac95e4634b3f54b3847bce1545da86df116af6a2c6a49d6291b 1938596 dovecot-common_1.0.15-2.3+lenny1_i386.deb
22c4bddac48ff451b5858159962decb0465b0b564e78c6aa773ff8ae260c4e4f 390674 dovecot-dev_1.0.15-2.3+lenny1_i386.deb
604a07f19230cf44216f2f61e8602ac204bc19ddc9918116387e9d4329b6b752 636970 dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
0d4396151e997f33ec16d471c57e116a7c2768f7536ee1464571c50bc9a880aa 602896 dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Files:
d0b83408d8c8324fdfa03b80cdbed4f6 1614 mail optional dovecot_1.0.15-2.3+lenny1.dsc
aa39c11c18df6b95b64d4f04d793d77a 1783347 mail optional dovecot_1.0.15.orig.tar.gz
45614e66070551b80bcbd803113f22d6 216038 mail optional dovecot_1.0.15-2.3+lenny1.diff.gz
0113ec4318618383c6945ad66ac457ab 1938596 mail optional dovecot-common_1.0.15-2.3+lenny1_i386.deb
615f9e862c4c2b14db2fbed7f3a0089f 390674 mail optional dovecot-dev_1.0.15-2.3+lenny1_i386.deb
40f7a7785597f69f39991c35865c1df8 636970 mail optional dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
93b9ffb25946df4200203a236839d967 602896 mail optional dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq5/qcACgkQ62zWxYk/rQeSnQCgg4sCIjPYcFMVSpDhdspKwTFG
npQAoLL0yY002wp+1vseGWCQm8VJ6FUg
=CJO/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 31 Jan 2010 07:37:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:57:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.