Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2009-3235

Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.

Related bugs and status

CVE-2009-3235 (Candidate) is related to these bugs:

Bug #438363: Please, fix buffer overflow vulnerability in SIEVE

Summary				In	Importance	Status
	438363	Please, fix buffer overflow vulnerability in SIEVE		cyrus-imapd-2.2 (Ubuntu)	Medium	Fix Released

Bug #550258: Sync cyrus-imapd-2.2 2.2.13-19 (universe) from Debian testing (main)

Summary				In	Importance	Status
	550258	Sync cyrus-imapd-2.2 2.2.13-19 (universe) from Debian testing (main)		cyrus-imapd-2.2 (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [Dovecot-news] 2009091...
MLIST: [oss-security] 2009091...
FEDORA: FEDORA-2009-9559
BID: 36377
OSVDB: 58103
SECUNIA: 36698
SECUNIA: 36713
VUPEN: ADV-2009-2641
UBUNTU: USN-838-1
SECUNIA: 36904
SUSE: SUSE-SR:2009:016
CONFIRM: http://support.apple.c...
APPLE: APPLE-SA-2009-11-09-1
VUPEN: ADV-2009-3184
SUSE: SUSE-SR:2009:018
XF: cmu-sieve-dovecot-unsp...
OVAL: oval:org.mitre.oval:de...