From bugzilla@redhat.com Fri May 24 18:32:17 2002 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com Cc: bugtraq@securityfocus.com, linux-security@redhat.com Date: Fri, 24 May 2002 15:00 -0400 Subject: [RHSA-2002:092-11] Buffer overflow in UW imap daemon [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Buffer overflow in UW imap daemon Advisory ID: RHSA-2002:092-11 Issue date: 2002-05-16 Updated on: 2002-05-22 Product: Red Hat Linux Keywords: UW imap buffer overflow wu-imap uw-imap Cross references: Obsoletes: RHBA-2001:120 CVE Names: CAN-2002-0379 --------------------------------------------------------------------- 1. Topic: The UW imap daemon contains a buffer overflow which allows a logged in, remote user to execute commands on the server with the user's UID/GID. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64 3. Problem description: UW imapd is an IMAP daemon from the University of Washington. Version 2000c and previous versions have a bug that allows a malicious user to construct a malformed request which overflows an internal buffer, enabling that user to execute commands on the server with the user's UID/GID. To exploit this problem the user has to have successfully authenticated to the imapd service. Therefore, this vulnerability mainly affects free email providers or mail servers where the user has no shell access to the system. On other systems, in which the user already has shell access, users can already run commands under their own UIDs/GIDs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0379 to this issue. Users of imapd are advised to upgrade to these errata packages containing version 2001a of imapd. They are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- ec7794a80981a579ded00e27a416e9e2 6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm 98c89c190f6276474917b51112d43b60 6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm 62e846b2c6dbe71ecd64063a8ddef179 6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm 105073a5d5d9cca998c16c4784432612 6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm 18307141223c8214a996fc779fc4b30f 6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm c11e86178eac2def6c7f2680d72d4362 6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm 0e82318b401d12f641e74afaac29b26a 6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm c99646d934c056062269927d68c083cb 7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm c1a44a312e0ff6ddce84ab9fce8661ce 7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm 01240d7f239848f76671135932745480 7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm 6f775661a7cf3320fed6954bb6fc5319 7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm e3ee6086addf447fc7cdf257f0489d1a 7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm 924b63ae2c8029355a08b3001d59cbb5 7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm e3acdfb3224d30c75e9971655de7a4e1 7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm 9b2e89d31f7bcbb95c674972d64e8813 7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm dd5d21b6e461813bdeddc16a6b41b285 7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm 2d3140dfe10396bd20d04bd79b57f647 7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm 5649a1d3c1d8d950c5a0272ba65faec5 7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm 7232061442f47e063a193d8982d12f52 7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm ee249743bacd07adf36b355c78066f73 7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm d2d9a10cb6c8faed062da4f21d8fb7e5 7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm 21feec5a469ff71e706173199ffc3856 7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm 0247d2d090596fe2b892dd6768036d7c 7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm 456511a67ebda4e8a73af782388a97ab 7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379 Copyright(c) 2000, 2001, 2002 Red Hat, Inc.