CVE-2009-3235: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot

Debian Bug report logs - #546656
CVE-2009-3235: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Pascal Volk <user@localhost.localdomain.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dovecot-common: Security holes in CMU Sieve plugin

Date: Mon, 14 Sep 2009 23:04:32 +0200

package: dovecot-common
version: 1:1.0.15-2.3
severity: important
tags: security upstream

The CMU Sieve plugin for Dovecot v1.0/v1.1 is based on the Cyrus Sieve
library. As described in DSA 1881-1¹ there was a vulnerability.

Timo Sirainen has announced² the availability of the bug fixed versions
v1.1.7 for Dovecot v1.1 and v1.0.4 for Dovecot v1.0.

This affects also dovecot-common 1.0.rc15-2etch4 in oldstable and
dovecot-common 1:1.0.15-2.3~bpo40+1 etch-backports.

This security hole does not exits in new Sieve implementation, from
Stephan Bosch, for Dovecots v1.2 series.


Regards,
Pascal
--
1 = http://www.debian.org/security/2009/dsa-1881
2 = http://dovecot.org/list/dovecot-news/2009-September/000135.html
-- 
Ubuntu is an ancient African word meaning “I can’t install Debian.”
                                                         -- unknown

Message #10 received at 546656@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <546656@bugs.debian.org>

Subject: CVE-2009-3235: Multiple stack-based buffer overflows in the Sieve plugin in Dovecot

Date: Mon, 21 Sep 2009 19:38:34 +0200

Package: dovecot
Version: 1.0.rc15-2etch4
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dovecot.

CVE-2009-3235[0]:
| Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
| 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve,
| allow context-dependent attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted SIEVE script, as
| demonstrated by forwarding an e-mail message to a large number of
| recipients, a different vulnerability than CVE-2009-2632.


These are already fixed in debian unstable.
Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable and oldstable releases.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235
    http://security-tracker.debian.net/tracker/CVE-2009-3235
    Patch: http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628
           http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq3uhYACgkQNxpp46476arb+wCfWrHakSEdLqISPuacuz8HjMKj
nPkAnRz25JCJzXjK/WOMIlpSrwf+Sdnj
=6BRf
-----END PGP SIGNATURE-----

Message #21 received at 546656@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: 546656@bugs.debian.org

Subject: Trivial patch for this CVE

Date: Mon, 21 Sep 2009 23:46:36 -0700

[Message part 1 (text/plain, inline)]

Attached please find the trivial patch for this security fix.


Don Armstrong

-- 
Leukocyte... I am your father.
 -- R. Stevens http://www.dieselsweeties.com/archive.php?s=1546

http://www.donarmstrong.com              http://rzlab.ucr.edu

[nmu_for_546656.diff (text/x-diff, attachment)]

Message #26 received at 546656@bugs.debian.org (full text, mbox, reply):

From: Timo Sirainen <tss@iki.fi>

To: Don Armstrong <don@debian.org>, 546656@bugs.debian.org

Subject: Re: Bug#546656: Trivial patch for this CVE

Date: Tue, 22 Sep 2009 10:02:26 +0300

On Sep 22, 2009, at 9:46 AM, Don Armstrong wrote:

> Attached please find the trivial patch for this security fix.

snprintf, not sprintf:

-	  sprintf(errbuf, "flag '%s': not a valid relational operation", r);
+	  sprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational  
operation", r);

Message #31 received at 546656@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@donarmstrong.com>

To: Timo Sirainen <tss@iki.fi>

Cc: 546656@bugs.debian.org

Subject: Re: Bug#546656: Trivial patch for this CVE

Date: Tue, 22 Sep 2009 07:29:09 -0700

On Tue, 22 Sep 2009, Timo Sirainen wrote:
> On Sep 22, 2009, at 9:46 AM, Don Armstrong wrote:
> 
> >Attached please find the trivial patch for this security fix.
> 
> snprintf, not sprintf:
> 
> -	  sprintf(errbuf, "flag '%s': not a valid relational operation", r);
> +	  sprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid
> relational operation", r);
> 

Eek. Yes, right. I'll attach a corrected patch one I rebuild
everything again. (Or DSA can continue on with this trivial fix).


Don Armstrong

-- 
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence."
 -- Jeremy S. Anderson

http://www.donarmstrong.com              http://rzlab.ucr.edu

Message #36 received at 546656@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@donarmstrong.com>

To: Timo Sirainen <tss@iki.fi>, 546656@bugs.debian.org

Subject: Re: Bug#546656: Trivial patch for this CVE

Date: Tue, 22 Sep 2009 12:05:19 -0700

[Message part 1 (text/plain, inline)]

On Tue, 22 Sep 2009, Don Armstrong wrote:
> On Tue, 22 Sep 2009, Timo Sirainen wrote:
> > On Sep 22, 2009, at 9:46 AM, Don Armstrong wrote:
> > 
> > >Attached please find the trivial patch for this security fix.
> > 
> > snprintf, not sprintf:
> > 
> > -	  sprintf(errbuf, "flag '%s': not a valid relational operation", r);
> > +	  sprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid
> > relational operation", r);
> > 
> 
> Eek. Yes, right. I'll attach a corrected patch one I rebuild
> everything again. (Or DSA can continue on with this trivial fix).

Please find attached patches for etch and lenny which should resolve
this issue.


Don Armstrong

-- 
The beauty of the DRUNKENNESS subprogram was that you could move your
intoxication level up and down at will, instead of being caught on a
relentless down escalator to bargain basement philosophy and the
parking garage.
 -- Rudy von Bitter _Software_ p124

http://www.donarmstrong.com              http://rzlab.ucr.edu

[etch_nmu_for_546656.diff (text/x-diff, attachment)]

[nmu_for_546656.diff (text/x-diff, attachment)]

Message #41 received at 546656-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 546656-close@bugs.debian.org

Subject: Bug#546656: fixed in dovecot 1.0.rc15-2etch5

Date: Mon, 05 Oct 2009 01:54:48 +0000

Source: dovecot
Source-Version: 1.0.rc15-2etch5

We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:

dovecot-common_1.0.rc15-2etch5_i386.deb
  to pool/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
dovecot-imapd_1.0.rc15-2etch5_i386.deb
  to pool/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
dovecot-pop3d_1.0.rc15-2etch5_i386.deb
  to pool/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
dovecot_1.0.rc15-2etch5.diff.gz
  to pool/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
dovecot_1.0.rc15-2etch5.dsc
  to pool/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated dovecot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Sep 2009 09:46:40 +0200
Source: dovecot
Binary: dovecot-common dovecot-pop3d dovecot-imapd
Architecture: source i386
Version: 1.0.rc15-2etch5
Distribution: oldstable-security
Urgency: high
Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 dovecot-common - secure mail server that supports mbox and maildir mailboxes
 dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
 dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 546656
Changes: 
 dovecot (1.0.rc15-2etch5) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix for bufffer overflow in SIEVE filtering allowing for privilege
     escalation (closes: #546656). Thanks to Don Armstrong.
Files: 
 69660b4d8bd4c443a9e6a445cee73ae4 1017 mail optional dovecot_1.0.rc15-2etch5.dsc
 25968ea91265d9c79869fd13e1cf18a7 105496 mail optional dovecot_1.0.rc15-2etch5.diff.gz
 3e11a2b0f46ce7452760264a478a07a2 1135076 mail optional dovecot-common_1.0.rc15-2etch5_i386.deb
 41d4f84120825e06e41ff079dabd0429 547040 mail optional dovecot-imapd_1.0.rc15-2etch5_i386.deb
 e2fe7ef8a944f84d59c4d13c2583f37f 514726 mail optional dovecot-pop3d_1.0.rc15-2etch5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq6NN4ACgkQ62zWxYk/rQeZiACeODKNIa2UbiRCWYw3TFvV4ULl
33gAnR8VfFFGyDyY6u+Pdhik3aNTqjj9
=MWTy
-----END PGP SIGNATURE-----

Message #46 received at 546656-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 546656-close@bugs.debian.org

Subject: Bug#546656: fixed in dovecot 1:1.0.15-2.3+lenny1

Date: Wed, 07 Oct 2009 07:58:20 +0000

Source: dovecot
Source-Version: 1:1.0.15-2.3+lenny1

We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:

dovecot-common_1.0.15-2.3+lenny1_i386.deb
  to pool/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
dovecot-dev_1.0.15-2.3+lenny1_i386.deb
  to pool/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
  to pool/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
  to pool/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
dovecot_1.0.15-2.3+lenny1.diff.gz
  to pool/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
dovecot_1.0.15-2.3+lenny1.dsc
  to pool/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546656@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated dovecot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Sep 2009 10:10:46 +0200
Source: dovecot
Binary: dovecot-common dovecot-dev dovecot-imapd dovecot-pop3d
Architecture: source i386
Version: 1:1.0.15-2.3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Dovecot Maintainers <jaldhar-dovecot@debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 dovecot-common - secure mail server that supports mbox and maildir mailboxes
 dovecot-dev - header files for the dovecot mail server
 dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
 dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 546656
Changes: 
 dovecot (1:1.0.15-2.3+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix for buffer overflow in SIEVE filtering allowing for privilege
     escalation (closes: #546656). Thanks to Don Armstrong.
Checksums-Sha1: 
 0c37e498143978de596e1c6cf6c0ff1499008ff3 1614 dovecot_1.0.15-2.3+lenny1.dsc
 4e1f40e37461f848459df9dde809097fef46c376 1783347 dovecot_1.0.15.orig.tar.gz
 b1004fb41e7aaca1727f930411d7daa7a85f845e 216038 dovecot_1.0.15-2.3+lenny1.diff.gz
 dec2b232d78676cac8c4912f875ddcc126eadcea 1938596 dovecot-common_1.0.15-2.3+lenny1_i386.deb
 7e434870a34216ca520148e2f9e19acb77e0e63b 390674 dovecot-dev_1.0.15-2.3+lenny1_i386.deb
 878b4612b8095dcbf1d79b879ecc32935cfe288d 636970 dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
 f7b93af63e330307f56a6ea6464dd5500bb33c3e 602896 dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Checksums-Sha256: 
 1b0b468b3b8f94b1dc33ce1eb1ead7cc4f554470768acc9151c724c131224e38 1614 dovecot_1.0.15-2.3+lenny1.dsc
 2b4d8720d5f5868d57df294350ee0f5a8d2723e9937dab1eea2084478ace9597 1783347 dovecot_1.0.15.orig.tar.gz
 5c2e442f1a0ecf9368c313f67035b6606ab4edb7e06f47d5f11f13ff7e516492 216038 dovecot_1.0.15-2.3+lenny1.diff.gz
 6e33a05cb4115ac95e4634b3f54b3847bce1545da86df116af6a2c6a49d6291b 1938596 dovecot-common_1.0.15-2.3+lenny1_i386.deb
 22c4bddac48ff451b5858159962decb0465b0b564e78c6aa773ff8ae260c4e4f 390674 dovecot-dev_1.0.15-2.3+lenny1_i386.deb
 604a07f19230cf44216f2f61e8602ac204bc19ddc9918116387e9d4329b6b752 636970 dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
 0d4396151e997f33ec16d471c57e116a7c2768f7536ee1464571c50bc9a880aa 602896 dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Files: 
 d0b83408d8c8324fdfa03b80cdbed4f6 1614 mail optional dovecot_1.0.15-2.3+lenny1.dsc
 aa39c11c18df6b95b64d4f04d793d77a 1783347 mail optional dovecot_1.0.15.orig.tar.gz
 45614e66070551b80bcbd803113f22d6 216038 mail optional dovecot_1.0.15-2.3+lenny1.diff.gz
 0113ec4318618383c6945ad66ac457ab 1938596 mail optional dovecot-common_1.0.15-2.3+lenny1_i386.deb
 615f9e862c4c2b14db2fbed7f3a0089f 390674 mail optional dovecot-dev_1.0.15-2.3+lenny1_i386.deb
 40f7a7785597f69f39991c35865c1df8 636970 mail optional dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
 93b9ffb25946df4200203a236839d967 602896 mail optional dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq5/qcACgkQ62zWxYk/rQeSnQCgg4sCIjPYcFMVSpDhdspKwTFG
npQAoLL0yY002wp+1vseGWCQm8VJ6FUg
=CJO/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.