Date: Wed, 4 Nov 2015 11:06:56 -0500 (EST) From: cve-assign@...re.org To: mprpic@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: urlfetch range handling flaw in Cyrus IMAP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > "Security fix: handle urlfetch range starting outside message range" > [https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html] This was a somewhat complex situation for CVE assignment. The http://www.openwall.com/lists/oss-security/2015/09/30/3 post identified one commit associated with an upstream security-fix release, but it was later found that there were two similar commits associated with the same type of security fix in that release. The oss-security thread was extremely helpful in providing a specific URL for where upstream discussion was attempted, but the only upstream discussion occurred after the last oss-security message. Finally, there is the somewhat-common question of what to do if a Linux distributor interprets an oss-security message as an indication that a new distribution package can be safely produced by backporting one commit, rather than by packaging a new upstream version. The scope of CVE-2015-8076 is both of the June 2015 commits by the cyrus-imapd developers for preventing read operations that go beyond the size of a message, i.e., https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 and https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b (We don't know of cases where a Linux distribution backported only 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921. For example, the September updates from openSUSE state that they packaged version 2.3.19. If any Linux distributions backported only 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921, each of those distributions should now have another unique CVE for an "incomplete fix for CVE-2015-8076" problem. If we already knew that that had occurred, we may have chosen separate CVEs for the upstream 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 and c21e179c1f6b968fe69bebe079176714e511587b fixes, to simplify the overall CVE assignment work.) The original oss-security message suggested that the fixed version was 2.4.18, but actually all of these changelogs seem applicable: https://docs.cyrus.foundation/imap/release-notes/2.3/x/2.3.19.html https://docs.cyrus.foundation/imap/release-notes/2.4/x/2.4.18.html https://docs.cyrus.foundation/imap/release-notes/2.5/x/2.5.4.html The scope of CVE-2015-8077 is the discovery by Florian Weimer that there can be an integer overflow in the start_octet addition after the 07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 fix. This discovery corresponds to: https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08 The scope of CVE-2015-8078 is the discovery by a cyrus-imapd developer that there can be an integer overflow in the section_offset addition after the c21e179c1f6b968fe69bebe079176714e511587b fix. This discovery corresponds to: https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 CVE-2015-8077 and CVE-2015-8078 potentially affect all released versions (see the ftp://ftp.cyrusimap.org/cyrus-imapd/ listing.) There is no CVE for the https://cyrus.foundation/cyrus-imapd/commit/?id=d81a712401418cc0bd1daa49ded8e5bcc4b69f21 buffer overflow because we don't know of a realistic case in which a privilege boundary can be crossed by an untrusted person who controls the imtest command line. There is no CVE for https://cyrus.foundation/cyrus-imapd/commit/?id=ff4e6c71d932b3e6bbfa67d76f095e27ff21bad0 because of the upstream comments in the https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2015-October/003550.html post. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWOiyZAAoJEL54rhJi8gl5d0kQAKXrBLVlHSAv5O2P39UEUFAQ Kug9b8p3ktVyPWMADkXVhkureQ9Sjdyjqtfb+NeyCSzm8AdiYjwYDpFnBqT8DCFj 7z6Q88mAgSyI4hbKKnylAR+2pEagLct1MGZCm990VjtMkRKgUil2S013hRU0ol5D NfLaYsZuO12DhzyXYVbcz2Yu83AfdapiG4UfDedeMPCrX/WpDdDIpElMDv9zuBha I4sb4v/1TlI/MWLDIRv6VVguL5q8Qj7xnHTpIcaKUkjmJJBbMxn/8+4zOOxZqgnx Z+qOmz7h3nQ9nY7j+AgoD268a0UPACemG4Wc9enzD8toiXCQ1rU2eegdUSXNXL3k m+JbVn9aOQB0P6m2bthWzbtkcMBnGY/mqvqqf/w7W+0qKXzE4EFUtny8D6ApQCYJ hxdPDlt2iAHxrR5gZg3jH+UjZ4eE80ORN7+1ZUcW5h/FHWyUrFfVIeY2GkXpu1rc 9+ciRPUOW6fI9oK5fiyCi3kGmfg4V3i2i+IpYkK7s+/gF3ehj5kmwxaFVCQX9Dib cj0kLJIG/yzBRN/DGaHdfKSsxp1P5e3JyojikdOKuXMfgxX3ZXFZA5O9TcvX9siV lGGB4wDjrSk+jyC+iAf6gO8pqCas8POkMgfu2ktnklXJQZUceSINmMPLlwbDA4Lx ZnWm8ntzkESdiXorQIE2 =utTo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ