[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: urlfetch range handling flaw in Cyrus IMAP
From:       Florian Weimer <fweimer () redhat ! com>
Date:       2015-09-30 9:07:28
Message-ID: 560BA650.9040901 () redhat ! com
[Download RAW message or body]

On 09/29/2015 01:01 PM, Martin Prpic wrote:
> Hi, was a CVE ID assigned for the following issue?
> 
> "Security fix: handle urlfetch range starting outside message range"
> [https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html]
> 
> Not many details seem to be available about this issue. Any pointers to
> a patch that fixes this would be greatly appreciated.

This looks like the relevant fix:

https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921

This patch seems to fix an information disclosure (out of bounds heap read).

The patch may be incomplete because n could become negative.  I'll ask
on the cyrus-devel list once my subscription request goes through.

This otherwise unrelated commits might be security-relevant as well:

https://cyrus.foundation/cyrus-imapd/commit/?id=d81a712401418cc0bd1daa49ded8e5bcc4b69f21
https://cyrus.foundation/cyrus-imapd/commit/?id=ff4e6c71d932b3e6bbfa67d76f095e27ff21bad0
https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b

-- 
Florian Weimer / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]