UW IMAP (wu-imapd) partial mailbox attributes to request buffer overflow

wuimapd-partial-mailbox-bo (9055) The risk level is classified as HighHigh Risk

Description:

UW IMAP (wu-imapd) is vulnerable to a buffer overflow. A remote attacker with a valid user account could request partial mailbox attributes to overflow a buffer and execute arbitrary commands on the system or cause the server to crash.


Consequences:

Gain Access

Remedy:

Apply the patch for this vulnerability included in the BugTraq Mailing List posting dated May 11 2002 12:34AM. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Server and Workstation):
Upgrade to the latest version of imap (2000-14 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-021.0. See References.

For Conectiva Linux 6.0:
Upgrade to the latest version of imap (2000c-10U60_3cl or later), as listed in Conectiva Linux Security Announcement CLA-2002:487. See References.

For Conectiva Linux 7.0:
Upgrade to the latest version of imap (2000c-10U70_3cl or later), as listed in Conectiva Linux Security Announcement CLA-2002:487. See References.

For Conectiva Linux 8.0:
Upgrade to the latest version of imap (2000c-12U8_2cl or later), as listed in Conectiva Linux Security Announcement CLA-2002:487. See References.

For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of imap (2000c-4.9mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:034 : imap. See References.

For Mandrake Linux 7.2:
Upgrade to the latest version of imap (2000c-4.8mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:034 : imap. See References.

For Mandrake Linux 8.0:
Upgrade to the latest version of imap (2000c-4.7mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:034 : imap. See References.

For Mandrake Linux 8.1:
Upgrade to the latest version of imap (2000c-7.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:034 : imap. See References.

For Mandrake Linux 8.2:
Upgrade to the latest version of imap (2001a-5.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:034 : imap. See References.

For Red Hat Linux:
Upgrade to the latest imap package, as listed below. Refer to RHSA-2002:092-13 for more information. See References.

Red Hat 6.2: 2001a-1.62.0 or later
Red Hat 7.0: 2001a-1.70.0 or later
Red Hat 7.1, 7.1for iSeries, 7.1 for pSeries: 2001a-1.71.0 or later
Red Hat 7.2: 2001a-1.72.0 or later

For HP Secure OS software for Linux Release 1.0:
Apply the RHSA-2002:092 RPMs, as listed in Hewlett-Packard Company Security Advisory HPSBTL0205-043. See References.

For EnGarde Secure Linux Community Edition:
Upgrade to the latest version of imap (2000c-1.0.23 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20020607-013. See References.

For Debian GNU/Linux:
Upgrade to the latest cyrus-imapd package, as listed below. Refer to DSA-215- for more information. See References.

Debian GNU/Linux 2.2 (potato): 1.5.19-2.2 or later
Debian GNU/Linux 3.0 (woody): 1.5.19-9.1or later

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Conectiva Linux 6.0
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Debian Debian Linux 2.2
  • Debian Debian Linux 3.0
  • EngardeLinux Secure Linux
  • HP Secure OS 1.0
  • MandrakeSoft Mandrake Linux 7.1
  • MandrakeSoft Mandrake Linux 7.2
  • MandrakeSoft Mandrake Linux 8.0
  • MandrakeSoft Mandrake Linux 8.1
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux Corporate Server 1.0.1
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.1 for iSeries
  • RedHat Linux 7.1 for pSeries
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • SCO Caldera OpenLinux Server 3.1
  • SCO Caldera OpenLinux Server 3.1.1
  • SCO Caldera OpenLinux Workstation 3.1
  • SCO Caldera OpenLinux Workstation 3.1.1
  • University of Washington UW IMAP 2000.283
  • University of Washington UW IMAP 2000.284
  • University of Washington UW IMAP 2000.287
  • University of Washington UW IMAP 2001.315

Reported:

May 10, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page