Bug#510918: marked as done (CVE-2008-5514: Off-by-one error)

[Debian Bug Tracking System]

Your message dated Thu, 15 Jan 2009 18:17:08 +0000
with message-id <e1lnwmc-0002tv...@ries.debian.org>
and subject line Bug#510918: fixed in uw-imap 8:2007b~dfsg-1.1
has caused the Debian Bug report #510918,
regarding CVE-2008-5514: Off-by-one error
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
510918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510918
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: uw-imap
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for uw-imap.

CVE-2008-5514[0]:
| Off-by-one error in the rfc822_output_char function in the
| RFC822BUFFER routines in the University of Washington (UW) c-client
| library, as used by the UW IMAP toolkit before imap-2007e and other
| applications, allows context-dependent attackers to cause a denial of
| service (crash) via an e-mail message that triggers a buffer overflow.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

The issue has been fixed in lenny already via the latest DTSA. The patch
just needs to be applied for sid.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5514
    http://security-tracker.debian.net/tracker/CVE-2008-5514

--- End Message ---

--- Begin Message ---

Source: uw-imap
Source-Version: 8:2007b~dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
uw-imap, which is due to be installed in the Debian FTP archive:

ipopd_2007b~dfsg-1.1_amd64.deb
  to pool/main/u/uw-imap/ipopd_2007b~dfsg-1.1_amd64.deb
libc-client2007b-dev_2007b~dfsg-1.1_amd64.deb
  to pool/main/u/uw-imap/libc-client2007b-dev_2007b~dfsg-1.1_amd64.deb
libc-client2007b_2007b~dfsg-1.1_amd64.deb
  to pool/main/u/uw-imap/libc-client2007b_2007b~dfsg-1.1_amd64.deb
mlock_2007b~dfsg-1.1_amd64.deb
  to pool/main/u/uw-imap/mlock_2007b~dfsg-1.1_amd64.deb
uw-imap_2007b~dfsg-1.1.diff.gz
  to pool/main/u/uw-imap/uw-imap_2007b~dfsg-1.1.diff.gz
uw-imap_2007b~dfsg-1.1.dsc
  to pool/main/u/uw-imap/uw-imap_2007b~dfsg-1.1.dsc
uw-imapd_2007b~dfsg-1.1_amd64.deb
  to pool/main/u/uw-imap/uw-imapd_2007b~dfsg-1.1_amd64.deb
uw-mailutils_2007b~dfsg-1.1_amd64.deb
  to pool/main/u/uw-imap/uw-mailutils_2007b~dfsg-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated uw-imap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 15 Jan 2009 19:00:01 +0100
Source: uw-imap
Binary: uw-imapd ipopd libc-client2007b-dev libc-client2007b mlock uw-mailutils
Architecture: source amd64
Version: 8:2007b~dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 ipopd      - POP2 and POP3 mail server
 libc-client2007b - c-client library for mail protocols - library files
 libc-client2007b-dev - c-client library for mail protocols - development files
 mlock      - mailbox locking program
 uw-imapd   - remote mail folder access server using IMAP4rev1
 uw-mailutils - c-client support programs
Closes: 510918
Changes: 
 uw-imap (8:2007b~dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix denial of service vulnerability because of rfc822_output_char() not
     checking for a full buffer and writing one byte ahead the buffer, later
     resulting in memcpy getting called with a possible size argument of -1
     (0003_CVE-2008-5514.patch; Closes: #510918)
Checksums-Sha1: 
 3898813b9a7d6f986d550d56cd1263764e3ec1a9 1404 uw-imap_2007b~dfsg-1.1.dsc
 43abc2c2e82fba4cf441076e393735aa6c9ba4f9 103450 uw-imap_2007b~dfsg-1.1.diff.gz
 df0446552ab6120f10443da0c7ad014c207cbbe6 93488 
uw-imapd_2007b~dfsg-1.1_amd64.deb
 8cd348194299e5cce0d9f2d4cb9c6d1254115e8e 54784 ipopd_2007b~dfsg-1.1_amd64.deb
 1d1b22176f646df2c4396bf18d06e14a48833db9 738120 
libc-client2007b-dev_2007b~dfsg-1.1_amd64.deb
 1d2a6c139ba35ac783721110fb1bc793d4b107d9 772222 
libc-client2007b_2007b~dfsg-1.1_amd64.deb
 3b722f0bfe5658243442b70f61530fce836e1b4c 31178 mlock_2007b~dfsg-1.1_amd64.deb
 21865899b8ab9f475090fcc789c15937678825a1 59774 
uw-mailutils_2007b~dfsg-1.1_amd64.deb
Checksums-Sha256: 
 5a8247e8b84c2702d00f4d9d6a673fc7bc5d6ba531c48344396e5abdadb4cd85 1404 
uw-imap_2007b~dfsg-1.1.dsc
 de5b0ce8a7ec34db0b56f5758625e79169632dd08523b218dddd4d7debc36184 103450 
uw-imap_2007b~dfsg-1.1.diff.gz
 e9c2d75b0ce264259c3df92a84260da6dbd3f71dfb70d5ac4542aed47e61a7fb 93488 
uw-imapd_2007b~dfsg-1.1_amd64.deb
 4149fa6ce0750275888a3da345c98de557a81c7415262c6adfa6d1cc727b7648 54784 
ipopd_2007b~dfsg-1.1_amd64.deb
 769e5a277fc64fb719c0be7c9459bd7186ff7ec3d6b2958d5b8689f941b7952b 738120 
libc-client2007b-dev_2007b~dfsg-1.1_amd64.deb
 e89cdab2d17edf11b7859f5824f93454b381bc693463db11600b4f26b553dec2 772222 
libc-client2007b_2007b~dfsg-1.1_amd64.deb
 56562d117eeeb6d911b086e0c4dfe41a720bdcd94bd6434603f7db357d3c25a4 31178 
mlock_2007b~dfsg-1.1_amd64.deb
 e77d80e6e51ec4effac82c5880be7e32457bdd5bc9ff7b106828833b1ee4126f 59774 
uw-mailutils_2007b~dfsg-1.1_amd64.deb
Files: 
 c3f3e7aea719032f76403a34e853a769 1404 mail optional uw-imap_2007b~dfsg-1.1.dsc
 b52edf46ef70df81ee71f75190275c11 103450 mail optional 
uw-imap_2007b~dfsg-1.1.diff.gz
 426a09490296ececdd273942706f2fd1 93488 mail optional 
uw-imapd_2007b~dfsg-1.1_amd64.deb
 1c978610e49fa46f416abe3972e714e5 54784 mail optional 
ipopd_2007b~dfsg-1.1_amd64.deb
 3c4b9958f4c903bc31ab3ffd33af1be6 738120 libdevel optional 
libc-client2007b-dev_2007b~dfsg-1.1_amd64.deb
 7aed84d35f219118a276fb2caa042e3a 772222 libs optional 
libc-client2007b_2007b~dfsg-1.1_amd64.deb
 6ce891400fd2d1fece8e05f2bdbf1344 31178 mail optional 
mlock_2007b~dfsg-1.1_amd64.deb
 baa2a40b146bf2176722e7681fbfad3b 59774 mail optional 
uw-mailutils_2007b~dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklve8kACgkQHYflSXNkfP98dgCfX11x8y5y2rqmatyQdmRiLHhj
qHAAoKr5aAC5Xyys3dc6npR4y/DzyTuZ
=XbVw
-----END PGP SIGNATURE-----

--- End Message ---