cyrus-imapd: CVE-2015-8077 and CVE-2015-8078

[ellie timoney]

Hi Aeneas,

(cc cyrus-devel: these are in relation to the discussion on list with
Florian a few weeks ago)

There was two commits related to that pair of CVEs:

One of those commits applies to 2.3, so I've now backported it to the
2.3 git branch

The other commit changes code that doesn't exist on the 2.3 branch, so I
haven't backported it.

Cheers,

ellie

On Wed, Nov 18, 2015, at 07:24 PM, Aeneas Jaißle wrote:
> Hi Ellie,
> 
> I have a question about cyrus-imapd and the above mentioned CVE's. I see 
> it's reported against and fixed in the 2.4, 2.5 and master branches, but 
> not 2.3.
> 
> 
> In 2.3.19, we have
>      /* Sanity check the requested size */
>      if (size && (offset + size > msg_size))
> 	n = msg_size - offset;
>      else
> 	n = size
> 
> whereas
>      unsigned long msg_size = 0;
>      ...
>      unsigned size, offset = 0, skip = 0;
>      int n, r = 0;
> 
> , so it looks vulnerable to me (at least CVE-2015-8077). Then again, I 
> have no knowledge of the code, so maybe you can give me your opinion 
> (and in case help to provide a patch?)
> 
> 
> -- 
>      ____
>    /@    ~-.     Aeneas Jaißle
>    \/ __ .- |    ✉ aj at ajaissle.de
>     // //  @