Hi, Debian Bug Tracking System ha scritto: > This is an automatic notification regarding your Bug report > which was filed against the cyrus-imapd-2.2 package: > > #547947: CVE-2009-3235: CMU sieve buffer overflows > > It has been closed by Henrique de Moraes Holschuh <h...@debian.org>.
Upstream patch is incomplete, in sieve/bc_eval.c after increasing scount it is better to use snprintf to avoid buffer overruns. Attached is the debdiff I used for stable-security Cheers, Giuseppe.
diff -u cyrus-imapd-2.2-2.2.13/debian/changelog
cyrus-imapd-2.2-2.2.13/debian/changelog
--- cyrus-imapd-2.2-2.2.13/debian/changelog
+++ cyrus-imapd-2.2-2.2.13/debian/changelog
@@ -1,3 +1,17 @@
+cyrus-imapd-2.2 (2.2.13-14+lenny3) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * sieve/bc_eval.c: Use snprintf to avoid buffer overruns
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it> Wed, 23 Sep 2009 11:52:40 +0200
+
+cyrus-imapd-2.2 (2.2.13-14+lenny2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix buffer overflow in SIEVE implementation (CVE-2009-3235)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it> Tue, 22 Sep 2009 21:11:26 +0200
+
cyrus-imapd-2.2 (2.2.13-14+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -u cyrus-imapd-2.2-2.2.13/debian/patches/0024-upstream-fix-sieve.dpatch
cyrus-imapd-2.2-2.2.13/debian/patches/0024-upstream-fix-sieve.dpatch
--- cyrus-imapd-2.2-2.2.13/debian/patches/0024-upstream-fix-sieve.dpatch
+++ cyrus-imapd-2.2-2.2.13/debian/patches/0024-upstream-fix-sieve.dpatch
@@ -5,10 +5,61 @@
## DP: fix sieve buffer overlow
@DPATCH@
+diff -urNad cyrus-imapd-2.2-2.2.13~/sieve/bc_eval.c
cyrus-imapd-2.2-2.2.13/sieve/bc_eval.c
+--- cyrus-imapd-2.2-2.2.13~/sieve/bc_eval.c 2009-09-23 11:24:57.000000000
+0200
++++ cyrus-imapd-2.2-2.2.13/sieve/bc_eval.c 2009-09-23 11:25:47.000000000
+0200
+@@ -440,7 +440,7 @@
+ int comparator=ntohl(bc[i+3].value);
+ int apart=ntohl(bc[i+4].value);
+ int count=0;
+- char scount[3];
++ char scount[21];
+ int isReg = (match==B_REGEX);
+ int ctag = 0;
+ regex_t *reg;
+@@ -574,7 +574,7 @@
+
+ if (match == B_COUNT)
+ {
+- sprintf(scount, "%u", count);
++ snprintf(scount, sizeof(scount), "%u", count);
+ /* search through all the data */
+ currd=datai+2;
+ for (z=0; z<numdata && !res; z++)
+@@ -608,7 +608,7 @@
+ int relation=ntohl(bc[i+2].value);
+ int comparator=ntohl(bc[i+3].value);
+ int count=0;
+- char scount[3];
++ char scount[21];
+ int isReg = (match==B_REGEX);
+ int ctag = 0;
+ regex_t *reg;
+@@ -689,7 +689,7 @@
+
+ if (match == B_COUNT )
+ {
+- sprintf(scount, "%u", count);
++ snprintf(scount, sizeof(scount), "%u", count);
+ /*search through all the data*/
+ currd=datai+2;
+ for (z=0; z<numdata && !res; z++)
diff -urNad cyrus-imapd-2.2-2.2.13~/sieve/script.c
cyrus-imapd-2.2-2.2.13/sieve/script.c
---- cyrus-imapd-2.2-2.2.13~/sieve/script.c 2009-09-06 20:54:08.000000000
+0000
-+++ cyrus-imapd-2.2-2.2.13/sieve/script.c 2009-09-06 20:55:01.000000000
+0000
-@@ -546,7 +546,7 @@
+--- cyrus-imapd-2.2-2.2.13~/sieve/script.c 2009-09-23 11:25:05.000000000
+0200
++++ cyrus-imapd-2.2-2.2.13/sieve/script.c 2009-09-23 11:25:05.000000000
+0200
+@@ -531,9 +531,9 @@
+ if ((ret != SIEVE_OK) && interp->err) {
+ char buf[1024];
+ if (lastaction == -1) /* we never executed an action */
+- sprintf(buf, "%s", errmsg ? errmsg : sieve_errstr(ret));
++ snprintf(buf, sizeof(buf), "%s", errmsg ? errmsg :
sieve_errstr(ret));
+ else
+- sprintf(buf, "%s: %s", action_to_string(lastaction),
++ snprintf(buf, sizeof(buf), "%s: %s", action_to_string(lastaction),
+ errmsg ? errmsg : sieve_errstr(ret));
+
+ ret |= interp->execute_err(buf, interp->interp_context,
+@@ -551,7 +551,7 @@
ret |= keep_ret;
if (keep_ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -17,7 +68,7 @@
"Kept\n");
else {
implicit_keep = 0; /* don't try an implicit keep again */
-@@ -599,7 +599,7 @@
+@@ -604,7 +604,7 @@
if (ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -26,7 +77,7 @@
"Rejected with: %s\n", a->u.rej.msg);
break;
-@@ -615,7 +615,7 @@
+@@ -620,7 +620,7 @@
if (ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -35,7 +86,7 @@
"Filed into: %s\n",a->u.fil.mailbox);
break;
case ACTION_KEEP:
-@@ -629,7 +629,7 @@
+@@ -634,7 +634,7 @@
&errmsg);
if (ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -44,7 +95,7 @@
"Kept\n");
break;
case ACTION_REDIRECT:
-@@ -643,7 +643,7 @@
+@@ -648,7 +648,7 @@
&errmsg);
if (ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -53,7 +104,7 @@
"Redirected to %s\n", a->u.red.addr);
break;
case ACTION_DISCARD:
-@@ -655,7 +655,7 @@
+@@ -660,7 +660,7 @@
&errmsg);
if (ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -62,7 +113,7 @@
"Discarded\n");
break;
-@@ -689,12 +689,12 @@
+@@ -694,12 +694,12 @@
if (ret == SIEVE_OK)
snprintf(actions_string+strlen(actions_string),
@@ -79,0 +131,12 @@
+diff -urNad cyrus-imapd-2.2-2.2.13~/sieve/sieve.y
cyrus-imapd-2.2-2.2.13/sieve/sieve.y
+--- cyrus-imapd-2.2-2.2.13~/sieve/sieve.y 2009-09-23 11:24:57.000000000
+0200
++++ cyrus-imapd-2.2-2.2.13/sieve/sieve.y 2009-09-23 11:25:05.000000000
+0200
+@@ -923,7 +923,7 @@
+ else if (!strcmp(r, "ne")) {return NE;}
+ else if (!strcmp(r, "eq")) {return EQ;}
+ else{
+- sprintf(errbuf, "flag '%s': not a valid relational operation", r);
++ snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational
operation", r);
+ yyerror(errbuf);
+ return -1;
+ }
signature.asc
Description: OpenPGP digital signature
