CVE-2009-3235 in Ubuntu

CVE-2009-3235

Priority

Description

Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0
before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow
context-dependent attackers to cause a denial of service (crash) and
possibly execute arbitrary code via a crafted SIEVE script, as demonstrated
by forwarding an e-mail message to a large number of recipients, a
different vulnerability than CVE-2009-2632.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3235
https://ubuntu.com/security/notices/USN-838-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547947 (cyrus-imapd)

Notes

mdeslaur

version specified is of dovecot-sieve, not of the dovecot itself
although code is present in dapper's dovecot, we don't compile
the sieve plugin

Package

Source: cyrus-imapd-2.2 (LP Ubuntu Debian)

Upstream:	released (2.2.13-17)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (2.2.13-19)

Patches:

Upstream:	https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/sieve.y.diff?r1=1.40;r2=1.41;f=h
Upstream:	https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/bc_eval.c.diff?r1=1.14;r2=1.15;f=h
Upstream:	https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.68;r2=1.69;f=h
Debdiff:	https://bugs.launchpad.net/ubuntu/+source/cyrus-imapd-2.2/+bug/438363

Package

Source: dovecot (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	released (1:1.1.11-0ubuntu9)

Patches:

Upstream:	http://hg.dovecot.org/dovecot-sieve-1.1/rev/049f22520628
Upstream:	http://hg.dovecot.org/dovecot-sieve-1.1/rev/4577c4e1130d

Package

Source: kolab-cyrus-imapd (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (2.2.13-9)

Patches:

More Information

Updated: 2022-02-10 23:38:38 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)