Fwd: pre-login buffer overflow in Cyrus IMAP server

[Lawrence Greenfield]

--On Friday, December 06, 2002 1:27 AM +0100 Simon Josefsson 
<jas at extundo.com> wrote:

> Any comment on why it took over a month to react to this reported
> vulnerability?

Hi Simon,

You'll note that it has taken me almost a month to respond to your message. 
This is mostly because I get very distracted very easily.

When the initial bug report came in, it was evaluated as fairly low 
vulnerability (all it contained was the fact that you could overwrite a 
malloc'd buffer), since the only obvious overflows would cause the entire 
process to crash. Sadly, I didn't think of process reuse---nor did I fully 
understand the GNU malloc implementation that makes this an exploitable 
overflow on certain architectures.

Timo wrote back approximately 2 weeks later that he could demonstrate an 
exploit on Debian linux. We had a new version about a week later after a 
small amount of back and forth with Timo about what a good solution might 
be.

> A comment explaining why it took so long and what happened in the
> meantime would be useful in extrapolating how future vulneribilities
> will be handled.  If this has already been discussed somewhere, I am
> sorry for duplicating the discussion and would appreciate a pointer.

I suspect that future exploits will be handled similiarly. We have to make 
a initial guess on how important any information sent to cyrus-bugs is, 
since there's no one here who is solely devoted to Cyrus maintaince. I 
guess our (mostly my) initial triaging was off on this.

Note that the Sieve vulnerabilities were reported significantly later and 
were therefore fixed with, what I'd call, all due speed.

I hope this helps.

Larry