[UCI-Linux] bugzilla@redhat.com: [RHSA-2002:092-11] Buffer overflow in UW imap daemon

Mike IGLESIAS IGLESIAS@uci.edu
Fri, 24 May 2002 16:44:11 -0700


------- Forwarded Message

Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])
	by draco.acs.uci.edu (8.11.6/8.11.6) with ESMTP id g4OM0w622440
	for <iglesias@draco.acs.uci.edu>; Fri, 24 May 2002 15:00:58 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 57986A3339; Fri, 24 May 2002 15:57:46 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 21422 invoked from network); 24 May 2002 18:56:55 -0000
Message-Id: <200205241900.g4OJ03X24647@porkchop.devel.redhat.com>
Mime-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Subject: [RHSA-2002:092-11] Buffer overflow in UW imap daemon
From: bugzilla@redhat.com
Date: Fri, 24 May 2002 15:00 -0400
To: redhat-watch-list@redhat.com
Cc: bugtraq@securityfocus.com, linux-security@redhat.com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by draco.acs.uci.edu id g4OM0w622440

- ---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Buffer overflow in UW imap daemon
Advisory ID:       RHSA-2002:092-11
Issue date:        2002-05-16
Updated on:        2002-05-22
Product:           Red Hat Linux
Keywords:          UW imap buffer overflow wu-imap uw-imap
Cross references:  
Obsoletes:         RHBA-2001:120
CVE Names:         CAN-2002-0379
- ---------------------------------------------------------------------

1. Topic:

The UW imap daemon contains a buffer overflow which allows a 
logged in, remote user to execute commands on the server 
with the user's UID/GID.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386, ia64

3. Problem description:

UW imapd is an IMAP daemon from the University of Washington.  Version
2000c and previous versions have a bug that allows a malicious user to
construct a malformed request which overflows an internal buffer, enabling
that user to execute commands on the server with the user's UID/GID. 

To exploit this problem the user has to have successfully authenticated to
the imapd service.  Therefore, this vulnerability mainly affects free email
providers or mail servers where the user has no shell access to the system.
On other systems, in which the user already has shell access, users can
already run commands under their own UIDs/GIDs.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0379 to this issue.

Users of imapd are advised to upgrade to these errata packages containing
version 2001a of imapd. They are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):



6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm



7. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
ec7794a80981a579ded00e27a416e9e2 6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm
98c89c190f6276474917b51112d43b60 6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm
62e846b2c6dbe71ecd64063a8ddef179 6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm
105073a5d5d9cca998c16c4784432612 6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm
18307141223c8214a996fc779fc4b30f 6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm
c11e86178eac2def6c7f2680d72d4362 6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm
0e82318b401d12f641e74afaac29b26a 6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm
c99646d934c056062269927d68c083cb 7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm
c1a44a312e0ff6ddce84ab9fce8661ce 7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm
01240d7f239848f76671135932745480 7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm
6f775661a7cf3320fed6954bb6fc5319 7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm
e3ee6086addf447fc7cdf257f0489d1a 7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm
924b63ae2c8029355a08b3001d59cbb5 7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm
e3acdfb3224d30c75e9971655de7a4e1 7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm
9b2e89d31f7bcbb95c674972d64e8813 7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm
dd5d21b6e461813bdeddc16a6b41b285 7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm
2d3140dfe10396bd20d04bd79b57f647 7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm
5649a1d3c1d8d950c5a0272ba65faec5 7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm
7232061442f47e063a193d8982d12f52 7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm
ee249743bacd07adf36b355c78066f73 7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm
d2d9a10cb6c8faed062da4f21d8fb7e5 7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm
21feec5a469ff71e706173199ffc3856 7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm
0247d2d090596fe2b892dd6768036d7c 7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm
456511a67ebda4e8a73af782388a97ab 7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm
 

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379



Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

------- End of Forwarded Message