On Thu, 27 Jun 2013, Alexandre Rebert wrote: > We found a crash in sieved contained in the cyrus-common-2.4 package. You > are being contacted because your are listed as one of the maintainer of > cyrus-common-2.4.
Thank you. > We are planning to submit the bug to the Debian bug tracking system in two > weeks. We wanted to give you a heads-up, so that you some time to assess the > seriousness of the bug before it is publicly disclosed. sieved is an unpriviledged network service. It uses fds 0, 1 and 2 for internal cyrus communication with the cyrus superserver. It looks like sending crap over one of these control channels can cause it to segfault. This cannot happen on normal operation, as fds 0, 1 and 2 will be under control of cyrmaster, the cyrus superserver (works like inetd on steroids). So, at first glance, it looks like the security impact should be minimal/nonexistent as there is no user-accessible or remote-accessible vector to cause the crash. It is obviously a bug to be fixed though, probably by submitting a patch upstream. PS: I did not try to reproduce the crash, I just looked at the crash.sh script. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh _______________________________________________ Pkg-Cyrus-imapd-Debian-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel
