FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Cyrus IMAPd -- FETCH command out of bounds memory corruption

Affected packages
cyrus-imapd < 2.1.17
2.2.* <= cyrus-imapd <= 2.2.8


VuXML ID c0a269d5-3d16-11d9-8818-008088034841
Discovery 2004-11-06
Entry 2004-11-22
Modified 2004-11-24

The argument parser of the fetch command suffers a bug very similiar to the partial command problem. Arguments like "body[p", "binary[p" or "binary[p" will be wrongly detected and the bufferposition can point outside of the allocated buffer for the rest of the parsing process. When the parser triggers the PARSE_PARTIAL macro after such a malformed argument was received this can lead to a similiar one byte memory corruption and allows remote code execution, when the heap layout was successfully controlled by the attacker.


CVE Name CVE-2004-1013