Ubuntu released a security advisory for this hole, fixing cyrus21-imapd 2.1.16. I've merged the changes from their release into our 2.1.17 package, yeilding the attached diff.
While this obviously fixes some holes, I am not sure if it fixes all the holes mentioned in the Secunia advisory here: http://secunia.com/advisories/14383 So I'm reluctant to NMU with this patch and close the bug. I think it would be safer if the maintainer upgraded the package to version 2.2.11. -- see shy jo
diff -ur old/cyrus21-imapd-2.1.17/debian/changelog cyrus21-imapd-2.1.17/debian/changelog --- old/cyrus21-imapd-2.1.17/debian/changelog 2005-03-01 19:50:46.000000000 -0500 +++ cyrus21-imapd-2.1.17/debian/changelog 2005-03-01 19:50:24.000000000 -0500 @@ -1,3 +1,16 @@ +cyrus21-imapd (2.1.17-3.1) unstable; urgency=HIGH + + * NMU + * SECURITY UPDATE: Fix buffer overflow (backported from release 2.1.18). + * imap/annotate.c, fetch_cb(): Fix size of lastname char[]. + * imap/seen_local.c: Use safe string functions. + * References: + http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33723 + CAN-2005-0546 + * Above changes sideported from Ubuntu. Closes: #296681 + + -- Joey Hess <[EMAIL PROTECTED]> Tue, 1 Mar 2005 19:37:10 -0500 + cyrus21-imapd (2.1.17-3) unstable; urgency=high * Add additional service table overflow check that was missing on the diff -ur old/cyrus21-imapd-2.1.17/imap/annotate.c cyrus21-imapd-2.1.17/imap/annotate.c --- old/cyrus21-imapd-2.1.17/imap/annotate.c 2005-03-01 19:50:46.000000000 -0500 +++ cyrus21-imapd-2.1.17/imap/annotate.c 2005-03-01 19:40:11.000000000 -0500 @@ -185,7 +185,7 @@ static int fetch_cb(char *name, int matchlen, int maycreate, void* rock) { struct fetchdata *fdata = (struct fetchdata *) rock; - static char lastname[MAX_MAILBOX_PATH]; + static char lastname[MAX_MAILBOX_PATH+1]; static int sawuser = 0; int c, r; char mboxname[MAX_MAILBOX_PATH+1]; diff -ur old/cyrus21-imapd-2.1.17/imap/seen_local.c cyrus21-imapd-2.1.17/imap/seen_local.c --- old/cyrus21-imapd-2.1.17/imap/seen_local.c 2003-08-14 12:20:33.000000000 -0400 +++ cyrus21-imapd-2.1.17/imap/seen_local.c 2005-03-01 19:46:01.000000000 -0500 @@ -146,8 +146,8 @@ unsigned long left; unsigned long length, namelen; - strcpy(fnamebuf, seendb->mailbox->path); - strcat(fnamebuf, FNAME_SEEN); + strlcpy(fnamebuf, seendb->mailbox->path, sizeof(fnamebuf)); + strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf)); /* Lock the database */ if (!seendb->mailbox->seen_lock_count) { @@ -280,10 +280,10 @@ num_iov = 0; if (replace) { - strcpy(fnamebuf, seendb->mailbox->path); - strcat(fnamebuf, FNAME_SEEN); - strcpy(newfnamebuf, fnamebuf); - strcat(newfnamebuf, ".NEW"); + strlcpy(fnamebuf, seendb->mailbox->path, sizeof(fnamebuf)); + strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf)); + strlcpy(newfnamebuf, fnamebuf, sizeof(newfnamebuf)); + strlcat(newfnamebuf, ".NEW", sizeof(newfnamebuf)); writefd = open(newfnamebuf, O_RDWR|O_TRUNC|O_CREAT, 0666); if (writefd == -1) { @@ -391,8 +391,8 @@ char fnamebuf[MAX_MAILBOX_PATH+1]; int fd; - strcpy(fnamebuf, mailbox->path); - strcat(fnamebuf, FNAME_SEEN); + strlcpy(fnamebuf, mailbox->path, sizeof(fnamebuf)); + strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf)); fd = open(fnamebuf, O_RDWR|O_TRUNC|O_CREAT, 0666); if (fd == -1) { @@ -413,8 +413,8 @@ int r; const char *lockfailaction; - strcpy(fnamebuf, mailbox->path); - strcat(fnamebuf, FNAME_SEEN); + strlcpy(fnamebuf, mailbox->path, sizeof(fnamebuf)); + strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf)); fd = open(fnamebuf, O_RDWR, 0666); if (fd == -1) { @@ -442,10 +442,10 @@ char oldfname[MAX_MAILBOX_PATH+1]; char newfname[MAX_MAILBOX_PATH+1]; - strcpy(oldfname, oldmailbox->path); - strcat(oldfname, FNAME_SEEN); - strcpy(newfname, newmailbox->path); - strcat(newfname, FNAME_SEEN); + strlcpy(oldfname, oldmailbox->path, sizeof(oldfname)); + strlcat(oldfname, FNAME_SEEN, sizeof(oldfname)); + strlcpy(newfname, newmailbox->path, sizeof(newfname)); + strlcat(newfname, FNAME_SEEN, sizeof(newfname)); return mailbox_copyfile(oldfname, newfname); } @@ -568,8 +568,8 @@ time(&now); nowplus1day = now + 24*60*60; - strcpy(fnamebuf, mailbox->path); - strcat(fnamebuf, FNAME_SEEN); + strlcpy(fnamebuf, mailbox->path, sizeof(fnamebuf)); + strlcat(fnamebuf, FNAME_SEEN, sizeof(fnamebuf)); fd = open(fnamebuf, O_RDWR, 0666); if (fd == -1) { @@ -723,8 +723,8 @@ r = 0; if (newiov_dirty) { - strcpy(newfnamebuf, fnamebuf); - strcat(newfnamebuf, ".NEW"); + strlcpy(newfnamebuf, fnamebuf, sizeof(newfnamebuf)); + strlcat(newfnamebuf, ".NEW", sizeof(newfnamebuf)); writefd = open(newfnamebuf, O_RDWR|O_TRUNC|O_CREAT, 0666); if (writefd == -1) {
signature.asc
Description: Digital signature
