[Secure-testing-team] Bug#547947: CVE-2009-3235: CMU sieve buffer overflows
Giuseppe Iuculano
giuseppe at iuculano.it
Tue Sep 22 18:03:30 UTC 2009
Package: cyrus-imapd-2.2
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cyrus-imapd-2.2.
CVE-2009-3235[0]:
| Multiple stack-based buffer overflows in the Sieve plugin in Dovecot
| 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve,
| allow context-dependent attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted SIEVE script, as
| demonstrated by forwarding an e-mail message to a large number of
| recipients, a different vulnerability than CVE-2009-2632.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235
http://security-tracker.debian.net/tracker/CVE-2009-3235
Patch: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq5EW4ACgkQNxpp46476arebACgh+bpQP8IA3eIpE7he2+zF1jS
wN8An1RVJ0YibCNe7VtIcG3sbje1xsEI
=nZP+
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list