Fwd: pre-login buffer overflow in Cyrus IMAP server
leg+ at andrew.cmu.edu
Thu Dec 26 02:44:14 EST 2002
--On Friday, December 06, 2002 1:27 AM +0100 Simon Josefsson
<jas at extundo.com> wrote:
> Any comment on why it took over a month to react to this reported
You'll note that it has taken me almost a month to respond to your message.
This is mostly because I get very distracted very easily.
When the initial bug report came in, it was evaluated as fairly low
vulnerability (all it contained was the fact that you could overwrite a
malloc'd buffer), since the only obvious overflows would cause the entire
process to crash. Sadly, I didn't think of process reuse---nor did I fully
understand the GNU malloc implementation that makes this an exploitable
overflow on certain architectures.
Timo wrote back approximately 2 weeks later that he could demonstrate an
exploit on Debian linux. We had a new version about a week later after a
small amount of back and forth with Timo about what a good solution might
> A comment explaining why it took so long and what happened in the
> meantime would be useful in extrapolating how future vulneribilities
> will be handled. If this has already been discussed somewhere, I am
> sorry for duplicating the discussion and would appreciate a pointer.
I suspect that future exploits will be handled similiarly. We have to make
a initial guess on how important any information sent to cyrus-bugs is,
since there's no one here who is solely devoted to Cyrus maintaince. I
guess our (mostly my) initial triaging was off on this.
Note that the Sieve vulnerabilities were reported significantly later and
were therefore fixed with, what I'd call, all due speed.
I hope this helps.
More information about the Info-cyrus