int(1409)

Boletines de Vulnerabilidades


Múltiples desbordamientos de búfer de un byte en Cyrus IMAPd

Clasificación de la vulnerabilidad

Propiedad Valor
Nivel de Confianza Oficial
Impacto Obtener acceso
Dificultad Experto
Requerimientos del atacante Acceso remoto con cuenta

Información sobre el sistema

Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado Cyrus IMAPd <2.2.11

Descripción

Se han descubierto múltiples vulnerabilidades de desbordamiento de búfer de un byte en las versiones anteriores a la 2.2.11 de Cyrus IMAPd.

La explotación de estas vulnerabilidades podría permitir a un atacante remoto autenticado en el servidor IMAP ejecutar código arbitrario.

Solución

Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo.


Actualización de software

Cyrus IMAPd
Cyrus IMAPd 2.2.11
ftp://ftp.andrew.cmu.edu/pub/cyrus/cyrus-imapd-2.2.11.tar.gz

SUSE Linux

SUSE Linux 9.2
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/cyrus-imapd-2.2.8-6.5.i586.rpm
x86-64
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/cyrus-imapd-2.2.8-6.5.x86_64.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/cyrus-imapd-2.2.8-6.5.src.rpm

SUSE Linux 9.1
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cyrus-imapd-2.2.3-83.22.i586.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/cyrus-imapd-2.2.3-83.22.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/cyrus-imapd-2.2.3-83.22.src.rpm

SUSE Linux 9.0
x86
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cyrus-imapd-2.1.15-91.i586.rpm
x86-64
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cyrus-imapd-2.1.15-91.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/cyrus-imapd-2.1.15-91.src.rpm

SUSE Linux 8.2
x86
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cyrus-imapd-2.1.12-77.i586.rpm

Mandrake Linux

Mandrakelinux 10.0
x86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/cyrus-imapd-2.1.16-5.4.100mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/cyrus-imapd-devel-2.1.16-5.4.100mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/cyrus-imapd-murder-2.1.16-5.4.100mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/cyrus-imapd-utils-2.1.16-5.4.100mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/perl-Cyrus-2.1.16-5.4.100mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/cyrus-imapd-2.1.16-5.4.100mdk.src.rpm
AMD64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/cyrus-imapd-2.1.16-5.4.100mdk.amd64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/cyrus-imapd-devel-2.1.16-5.4.100mdk.amd64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/cyrus-imapd-murder-2.1.16-5.4.100mdk.amd64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/cyrus-imapd-utils-2.1.16-5.4.100mdk.amd64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/perl-Cyrus-2.1.16-5.4.100mdk.amd64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/cyrus-imapd-2.1.16-5.4.100mdk.src.rpm

Mandrakelinux 10.1
x86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/cyrus-imapd-2.2.8-4.2.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/cyrus-imapd-devel-2.2.8-4.2.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/cyrus-imapd-murder-2.2.8-4.2.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/cyrus-imapd-nntp-2.2.8-4.2.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/cyrus-imapd-utils-2.2.8-4.2.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/perl-Cyrus-2.2.8-4.2.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/cyrus-imapd-2.2.8-4.2.101mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/cyrus-imapd-2.2.8-4.2.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/cyrus-imapd-devel-2.2.8-4.2.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/cyrus-imapd-murder-2.2.8-4.2.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/cyrus-imapd-nntp-2.2.8-4.2.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/cyrus-imapd-utils-2.2.8-4.2.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/perl-Cyrus-2.2.8-4.2.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/cyrus-imapd-2.2.8-4.2.101mdk.src.rpm

Corporate Server 3.0
x86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/cyrus-imapd-2.1.16-5.4.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/cyrus-imapd-devel-2.1.16-5.4.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/cyrus-imapd-murder-2.1.16-5.4.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/cyrus-imapd-utils-2.1.16-5.4.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/perl-Cyrus-2.1.16-5.4.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/cyrus-imapd-2.1.16-5.4.C30mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/cyrus-imapd-2.1.16-5.4.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/cyrus-imapd-devel-2.1.16-5.4.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/cyrus-imapd-murder-2.1.16-5.4.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/cyrus-imapd-utils-2.1.16-5.4.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/perl-Cyrus-2.1.16-5.4.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/cyrus-imapd-2.1.16-5.4.C30mdk.src.rpm

Red Hat Linux
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
https://rhn.redhat.com/

Identificadores estándar

Propiedad Valor
CVE CAN-2005-0546
BID

Recursos adicionales

Cyrus IMAPd 2.2.11 Released
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=33723

SUSE Security Announcement SUSE-SA:2005:009
http://www.novell.com/linux/security/advisories/2005_09_cyrus_imapd.html

Mandrakesoft Security Advisories MDKSA-2005:051
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:051

Red Hat Security Advisory RHSA-2005:408-04
https://rhn.redhat.com/errata/RHSA-2005-408.html

Histórico de versiones

Versión Comentario Fecha
1.0 Aviso emitido 2005-02-25
1.1 Aviso emitido por Mandrake (MDKSA-2005:051). CAN añadido. 2005-03-07
1.2 Aviso emitido por Red Hat (RHSA-2005:408-04) 2005-05-18

Miembros de

Ministerio de Defensa
CNI
CCN
CCN-CERT