FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Cyrus IMAPd -- PARTIAL command out of bounds memory corruption

Affected packages
cyrus-imapd < 2.1.17
2.2.* <= cyrus-imapd <= 2.2.6

Details

VuXML ID 114d70f3-3d16-11d9-8818-008088034841
Discovery 2004-11-06
Entry 2004-11-22
Modified 2004-11-24

Due to a bug within the argument parser of the partial command an argument like "body[p" will be wrongly detected as "body.peek". Because of this the bufferposition gets increased by 10 instead of 5 and could therefore point outside the allocated memory buffer for the rest of the parsing process. In imapd versions prior to 2.2.7 the handling of "body" or "bodypeek" arguments was broken so that the terminating ']' got overwritten by a '\0'. Combined the two problems allow a potential attacker to overwrite a single byte of malloc() control structures, which leads to remote code execution if the attacker successfully controls the heap layout.

References

CVE Name CVE-2004-1012
URL http://security.e-matters.de/advisories/152004.html