17256 – cyrus-imapd new security issues CVE-2015-8077 and CVE-2015-8078

Bug 17256 - cyrus-imapd new security issues CVE-2015-8077 and CVE-2015-8078

Summary: cyrus-imapd new security issues CVE-2015-8077 and CVE-2015-8078

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/666133/
Whiteboard:	advisory MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-11-29 23:25 CET by David Walser
Modified:	2016-02-05 18:27 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	cyrus-imapd-2.4.18-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-11-29 23:25:31 CET

OpenSuSE has issued an advisory on November 27:
http://lists.opensuse.org/opensuse-updates/2015-11/msg00156.html

They added patches in this diff:
https://build.opensuse.org/package/rdiff/openSUSE:13.2:Update/cyrus-imapd?linkrev=base&rev=3

The CVE assignment also links upstream fixes:
http://openwall.com/lists/oss-security/2015/11/04/3

Reproducible: 

Steps to Reproduce:

David Walser 2015-11-30 18:57:34 CET

URL: (none) => http://lwn.net/Vulnerabilities/666133/

Comment 1 Thomas Spuhler 2015-12-08 19:22:41 CET

The descriptions sound a little confusing. I am going to wait what Fedora is going to do.

Status: NEW => ASSIGNED

Comment 2 David Walser 2015-12-08 19:39:17 CET

It's just two patches from upstream.  They were committed after the 2.4.18 release, which is why we missed them in the last update.

Comment 3 Thomas Spuhler 2015-12-21 21:30:03 CET

this bug has now been resolved by applying patch 2.3.18-potential-overflow from Fedora. Suse has 2 patches but they are confusing.
The following rpm's are now in mga5 updates_testing:
cyrus-imapd-2.4.18-1.1.mga5.src.rpm
cyrus-imapd-2.4.18-1.1.mga5.x86_64.rpm
cyrus-imapd-murder-2.4.18-1.1.mga5.x86_64.rpm
cyrus-imapd-nntp-2.4.18-1.1.mga5.x86_64.rpm
cyrus-imapd-devel-2.4.18-1.1.mga5.x86_64.rpm
perl-Cyrus-2.4.18-1.1.mga5.x86_64.rpm
cyrus-imapd-utils-2.4.18-1.1.mga5.x86_64.rpm
cyrus-imapd-debuginfo-2.4.18-1.1.mga5.x86_64.rpm
and corresponding i586 packages

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 4 David Walser 2015-12-21 22:10:48 CET

I don't see anything "confusing" about the patches OpenSuSE used, as they look exactly the same as the upstream commits to fix these issues.  The Fedora patch is completely different and addresses an unrelated issue.  Please add the correct patches.

CC: (none) => qa-bugs
Assignee: qa-bugs => thomas

Comment 5 David Walser 2016-01-12 20:06:06 CET

Patched packages uploaded for Mageia 5 and Cauldron (pending stuck build system).

Advisory:
========================

Updated cyrus-imapd packages fix security vulnerabilities:

Cyrus-imapd versions 2.4.18 and earlier are vulnerable to potential integer
and buffer overflows (CVE-2015-8077, CVE-2015-8078).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8078
http://lists.opensuse.org/opensuse-updates/2015-11/msg00156.html
========================

Updated packages in core/updates_testing:
========================
cyrus-imapd-2.4.18-1.2.mga5
cyrus-imapd-murder-2.4.18-1.2.mga5
cyrus-imapd-nntp-2.4.18-1.2.mga5
cyrus-imapd-devel-2.4.18-1.2.mga5
perl-Cyrus-2.4.18-1.2.mga5
cyrus-imapd-utils-2.4.18-1.2.mga5

from cyrus-imapd-2.4.18-1.2.mga5.src.rpm

CC: qa-bugs => (none)
Assignee: thomas => qa-bugs

Comment 6 Herman Viaene 2016-01-13 11:50:45 CET

MGA5-32 Xfce on Acer D620
No installation issues.
Tried test as per bug16823, got following at CLI:
# systemctl start cyrus-imapd.service
no feedback
# systemctl -l status cyrus-imapd.service
â cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; enabled)
   Active: active (running) since wo 2016-01-13 10:52:32 CET; 50min ago
  Process: 23580 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS)
 Main PID: 23631 (cyrus-master)
   CGroup: /system.slice/cyrus-imapd.service
           ââ23631 /usr/lib/cyrus-imapd/cyrus-master
           ââ23645 idled
           ââ23647 imapd
           ââ23648 imapd -s
           ââ23649 pop3d
           ââ23650 pop3d -s
           ââ23651 lmtpd
           ââ23652 notifyd
           ââ23654 imapd
           ââ23655 pop3d
           ââ23656 imapd
           ââ23657 pop3d
           ââ23659 imapd
           ââ23661 imapd
           ââ32736 n/a

jan 13 11:43:15 mach6.hviaene.thuis ptloader[334]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[334]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 334 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[335]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[335]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 335 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[336]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[336]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 336 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[337]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[337]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 337 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[338]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[338]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 338 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[339]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[339]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 339 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[340]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[340]: PTS module afskrb not supported
jan 13 11:43:15 mach6.hviaene.thuis cyrus-master[23631]: service ptloader pid 340 in READY state: terminated abnormally
jan 13 11:43:15 mach6.hviaene.thuis ptloader[341]: starting: $Id: ptloader.c,v 1.50 2010/01/06 17:01:58 murch Exp $
jan 13 11:43:15 mach6.hviaene.thuis ptloader[341]: PTS module afskrb not supported

Tried to continue
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.

* BAD Error in IMAP command received by server.

* BAD Error in IMAP command received by server.

* BYE Too many invalid IMAP commands.
Connection closed by foreign host.
On further reading bug16823, I got the impression this is somehow dependent on postfix, but this one is not installed here.
If the dependency is real, why is it not handled properly in the rpm???

CC: (none) => herman.viaene

Comment 7 David Walser 2016-01-13 16:02:43 CET

It's only dependent on postfix if you use it with postfix.  It can be used with any MTA (like sendmail for instance).

Dave Hodgins 2016-01-20 00:10:35 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 8 Lewis Smith 2016-02-02 21:37:27 CET

Testing M5 x64 (with PostFix already installed in the light of Comment 7; the implication is that *an* MTA needs to be installed beforehand).

Installed issued:
 cyrus-imapd-2.4.18-1.mga5
 cyrus-imapd-murder-2.4.18-1.mga5
 cyrus-imapd-nntp-2.4.18-1.mga5
 cyrus-imapd-utils-2.4.18-1.mga5
 perl-Cyrus-2.4.18-1.mga5
(plus telnet server & client for testing it). Running the given mini-test:
BEFORE update:
 # systemctl start cyrus-imapd.service
 # systemctl -l status cyrus-imapd.service
 â cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; enabled)
   Active: active (running) since Maw 2016-02-02 21:07:39 CET; 12s ago
  Process: 14529 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS)
 Main PID: 14579 (cyrus-master)
   CGroup: /system.slice/cyrus-imapd.service
           ââ14579 /usr/lib/cyrus-imapd/cyrus-master
 [etc as per Comment 6].
 # telnet localhost 143
 Trying 127.0.0.1...
 Connected to localhost.localdomain.
 Escape character is '^]'.
 * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] localhost.localdomain Cyrus IMAP v2.4.18-Mageia-RPM-2.4.18-1.mga5 server ready
 ^]
 telnet> quit
 Connection closed.

AFTER smooth update to:
 cyrus-imapd-2.4.18-1.2.mga5
 cyrus-imapd-murder-2.4.18-1.2.mga5
 cyrus-imapd-nntp-2.4.18-1.2.mga5
 cyrus-imapd-utils-2.4.18-1.2.mga5
 perl-Cyrus-2.4.18-1.2.mga5
# systemctl stop cyrus-imapd.service
# systemctl start cyrus-imapd.service
then behaviour identical to previously. So this update deemed OK.

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Dave Hodgins 2016-02-05 03:54:55 CET

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2016-02-05 18:27:30 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0045.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.