- fix buffer overflow in cyrus sieve (CVE-2009-3235)

cyrus-imapd-2.3.1-authid_normalize.patch

@@ -1,17 +1,7 @@
---- cyrus-imapd-2.3.13/lib/libcyr_cfg.h.authid_normalize	2008-07-30 18:03:39.000000000 +0200
-+++ cyrus-imapd-2.3.13/lib/libcyr_cfg.h	2009-01-13 11:41:59.000000000 +0100
-@@ -112,6 +112,8 @@ enum cyrus_opt {
-     CYRUSOPT_SQL_PASSWD,
-     /* Secure SQL connection (OFF) */
-     CYRUSOPT_SQL_USESSL,
-+    /* Lowercase uid and strip leading and trailing blanks (OFF) */
-+    CYRUSOPT_NORMALIZEUID,
- 
-     CYRUSOPT_LAST
-     
---- cyrus-imapd-2.3.13/lib/auth_unix.c.authid_normalize	2009-01-13 11:38:08.000000000 +0100
-+++ cyrus-imapd-2.3.13/lib/auth_unix.c	2009-01-13 11:38:08.000000000 +0100
-@@ -155,10 +155,12 @@
+diff -up cyrus-imapd-2.3.15/lib/auth_unix.c.authid_normalize cyrus-imapd-2.3.15/lib/auth_unix.c
+--- cyrus-imapd-2.3.15/lib/auth_unix.c.authid_normalize	2009-09-18 11:53:47.183115911 +0200
++++ cyrus-imapd-2.3.15/lib/auth_unix.c	2009-09-18 11:53:47.252115833 +0200
+@@ -156,10 +156,12 @@ const char *identifier;
  size_t len;
  {
      static char retbuf[81];
@@ -24,7 +14,7 @@
  
      if(!len) len = strlen(identifier);
      if(len >= sizeof(retbuf)) return NULL;
-@@ -210,6 +212,22 @@
+@@ -211,6 +213,22 @@ size_t len;
      /* now we don't */
      /* if (!sawalpha) return NULL;  */
  
@@ -47,9 +37,10 @@
      return retbuf;
  }
  
---- cyrus-imapd-2.3.13/lib/imapoptions.authid_normalize	2009-01-13 11:38:08.000000000 +0100
-+++ cyrus-imapd-2.3.13/lib/imapoptions	2009-01-13 11:38:08.000000000 +0100
-@@ -1182,6 +1182,11 @@
+diff -up cyrus-imapd-2.3.15/lib/imapoptions.authid_normalize cyrus-imapd-2.3.15/lib/imapoptions
+--- cyrus-imapd-2.3.15/lib/imapoptions.authid_normalize	2009-09-18 11:53:47.244115877 +0200
++++ cyrus-imapd-2.3.15/lib/imapoptions	2009-09-18 11:53:47.260115873 +0200
+@@ -1217,6 +1217,11 @@ product version in the capabilities */
     interface, otherwise the user is assumed to be in the default
     domain (if set). */
  
@@ -61,17 +52,29 @@
  /*
  .SH SEE ALSO
  .PP
---- cyrus-imapd-2.3.13/lib/libcyr_cfg.c.authid_normalize	2008-07-30 18:03:38.000000000 +0200
-+++ cyrus-imapd-2.3.13/lib/libcyr_cfg.c	2009-01-13 11:38:08.000000000 +0100
-@@ -150,6 +150,11 @@
-       CFGVAL(long, 0),
+diff -up cyrus-imapd-2.3.15/lib/libcyr_cfg.c.authid_normalize cyrus-imapd-2.3.15/lib/libcyr_cfg.c
+--- cyrus-imapd-2.3.15/lib/libcyr_cfg.c.authid_normalize	2009-03-31 06:43:20.000000000 +0200
++++ cyrus-imapd-2.3.15/lib/libcyr_cfg.c	2009-09-18 11:55:03.436822867 +0200
+@@ -154,6 +154,10 @@ struct cyrusopt_s cyrus_options[] = {
+       CFGVAL(long, 1),
        CYRUS_OPT_SWITCH },
  
 +    { CYRUSOPT_NORMALIZEUID,
 +      CFGVAL(long, 1),
 +      CYRUS_OPT_SWITCH },
-+
 +
      { CYRUSOPT_LAST, { NULL }, CYRUS_OPT_NOTOPT }
  };
  
+diff -up cyrus-imapd-2.3.15/lib/libcyr_cfg.h.authid_normalize cyrus-imapd-2.3.15/lib/libcyr_cfg.h
+--- cyrus-imapd-2.3.15/lib/libcyr_cfg.h.authid_normalize	2009-03-31 06:43:20.000000000 +0200
++++ cyrus-imapd-2.3.15/lib/libcyr_cfg.h	2009-09-18 11:55:33.267115989 +0200
+@@ -114,6 +114,8 @@ enum cyrus_opt {
+     CYRUSOPT_SQL_USESSL,
+     /* Checkpoint after every recovery (OFF) */
+     CYRUSOPT_SKIPLIST_ALWAYS_CHECKPOINT,
++    /* Lowercase uid and strip leading and trailing blanks (OFF) */
++    CYRUSOPT_NORMALIZEUID,
+ 
+     CYRUSOPT_LAST
+     

cyrus-imapd-2.3.15-bufov.patch

@@ -0,0 +1,57 @@
+diff -up cyrus-imapd-2.3.15/sieve/bc_eval.c.bufov cyrus-imapd-2.3.15/sieve/bc_eval.c
+--- cyrus-imapd-2.3.15/sieve/bc_eval.c.bufov	2009-03-31 06:11:30.000000000 +0200
++++ cyrus-imapd-2.3.15/sieve/bc_eval.c	2009-09-18 15:05:29.187990786 +0200
+@@ -500,7 +500,7 @@ static int eval_bc_test(sieve_interp_t *
+ 	int comparator=ntohl(bc[i+3].value);
+ 	int apart=ntohl(bc[i+4].value);
+ 	int count=0;
+-	char scount[3];
++	char scount[21];
+ 	int isReg = (match==B_REGEX);
+ 	int ctag = 0;
+ 	regex_t *reg;
+@@ -669,7 +669,7 @@ static int eval_bc_test(sieve_interp_t *
+ 	int relation=ntohl(bc[i+2].value);
+ 	int comparator=ntohl(bc[i+3].value);
+ 	int count=0;	
+-	char scount[3];
++	char scount[21];
+ 	int isReg = (match==B_REGEX);
+ 	int ctag = 0;
+ 	regex_t *reg;
+@@ -790,7 +790,7 @@ static int eval_bc_test(sieve_interp_t *
+ 	int transform=ntohl(bc[i+4].value);
+ 	/* ntohl(bc[i+5].value) is the now unused 'offset' */
+ 	int count=0;
+-	char scount[3];
++	char scount[21];
+ 	int isReg = (match==B_REGEX);
+ 	int ctag = 0;
+ 	regex_t *reg;
+diff -up cyrus-imapd-2.3.15/sieve/script.c.bufov cyrus-imapd-2.3.15/sieve/script.c
+--- cyrus-imapd-2.3.15/sieve/script.c.bufov	2009-09-02 15:56:18.000000000 +0200
++++ cyrus-imapd-2.3.15/sieve/script.c	2009-09-18 15:04:00.728927938 +0200
+@@ -668,9 +668,9 @@ static int do_sieve_error(int ret,
+     if ((ret != SIEVE_OK) && interp->err) {
+ 	char buf[1024];
+ 	if (lastaction == -1) /* we never executed an action */
+-	    sprintf(buf, "%s", errmsg ? errmsg : sieve_errstr(ret));
++	    snprintf(buf, sizeof(buf), "%s", errmsg ? errmsg : sieve_errstr(ret));
+ 	else
+-	    sprintf(buf, "%s: %s", action_to_string(lastaction),
++	    snprintf(buf, sizeof(buf), "%s: %s", action_to_string(lastaction),
+ 		    errmsg ? errmsg : sieve_errstr(ret));
+  
+ 	ret |= interp->execute_err(buf, interp->interp_context,
+diff -up cyrus-imapd-2.3.15/sieve/sieve.y.bufov cyrus-imapd-2.3.15/sieve/sieve.y
+--- cyrus-imapd-2.3.15/sieve/sieve.y.bufov	2009-03-26 00:58:54.000000000 +0100
++++ cyrus-imapd-2.3.15/sieve/sieve.y	2009-09-18 15:04:00.734928038 +0200
+@@ -1159,7 +1159,7 @@ static int verify_relat(char *r)
+ 	else if (!strcmp(r, "ne")) {return NE;}
+ 	else if (!strcmp(r, "eq")) {return EQ;}
+ 	else{
+-	  sprintf(errbuf, "flag '%s': not a valid relational operation", r);
++	  snprintf(errbuf, sizeof(errbuf), "flag '%s': not a valid relational operation", r);
+ 	  yyerror(errbuf);
+ 	  return -1;
+ 	}

cyrus-imapd-2.3.7-notify_sms.patch

@@ -1,7 +1,7 @@
-diff -Naur cyrus-imapd-2.3.7.orig/doc/man/imapd.conf.5.html cyrus-imapd-2.3.7/doc/man/imapd.conf.5.html
---- cyrus-imapd-2.3.7.orig/doc/man/imapd.conf.5.html	2006-07-10 16:31:53.000000000 +0200
-+++ cyrus-imapd-2.3.7/doc/man/imapd.conf.5.html	2006-07-14 10:27:29.000000000 +0200
-@@ -3130,6 +3130,24 @@
+diff -up cyrus-imapd-2.3.15/doc/man/imapd.conf.5.html.notify_sms cyrus-imapd-2.3.15/doc/man/imapd.conf.5.html
+--- cyrus-imapd-2.3.15/doc/man/imapd.conf.5.html.notify_sms	2009-09-09 15:19:50.000000000 +0200
++++ cyrus-imapd-2.3.15/doc/man/imapd.conf.5.html	2009-09-18 11:49:42.207115959 +0200
+@@ -3469,6 +3469,24 @@ proxying CREATE.</p>
  <tr valign="top" align="left">
  <td width="10%"></td>
  <td width="89%">
@@ -26,10 +26,10 @@ diff -Naur cyrus-imapd-2.3.7.orig/doc/man/imapd.conf.5.html cyrus-imapd-2.3.7/do
  <p><b>servername:</b> &lt;none&gt;</p></td>
  </table>
  <!-- INDENTATION -->
-diff -Naur cyrus-imapd-2.3.7.orig/doc/man/notifyd.8.html cyrus-imapd-2.3.7/doc/man/notifyd.8.html
---- cyrus-imapd-2.3.7.orig/doc/man/notifyd.8.html	2006-07-10 16:31:54.000000000 +0200
-+++ cyrus-imapd-2.3.7/doc/man/notifyd.8.html	2006-07-14 10:27:29.000000000 +0200
-@@ -181,6 +181,18 @@
+diff -up cyrus-imapd-2.3.15/doc/man/notifyd.8.html.notify_sms cyrus-imapd-2.3.15/doc/man/notifyd.8.html
+--- cyrus-imapd-2.3.15/doc/man/notifyd.8.html.notify_sms	2009-09-09 15:19:51.000000000 +0200
++++ cyrus-imapd-2.3.15/doc/man/notifyd.8.html	2009-09-18 11:49:42.208116026 +0200
+@@ -181,6 +181,18 @@ a Sieve &rsquo;notify&rsquo; action as i
  <td width="11%"></td>
  <td width="10%">
  
@@ -48,10 +48,10 @@ diff -Naur cyrus-imapd-2.3.7.orig/doc/man/notifyd.8.html cyrus-imapd-2.3.7/doc/m
  <p><b>zephyr</b></p>
  </td>
  <td width="77%">
-diff -Naur cyrus-imapd-2.3.7.orig/lib/imapoptions cyrus-imapd-2.3.7/lib/imapoptions
---- cyrus-imapd-2.3.7.orig/lib/imapoptions	2006-06-27 17:58:42.000000000 +0200
-+++ cyrus-imapd-2.3.7/lib/imapoptions	2006-07-14 10:27:29.000000000 +0200
-@@ -829,6 +829,10 @@
+diff -up cyrus-imapd-2.3.15/lib/imapoptions.notify_sms cyrus-imapd-2.3.15/lib/imapoptions
+--- cyrus-imapd-2.3.15/lib/imapoptions.notify_sms	2009-09-18 11:49:42.189116010 +0200
++++ cyrus-imapd-2.3.15/lib/imapoptions	2009-09-18 11:50:38.230115954 +0200
+@@ -966,6 +966,10 @@ are listed with ``<none>''.
  /* The pathname of the sendmail executable.  Sieve invokes sendmail
     for sending rejections, redirects and vacation responses. */
  
@@ -59,26 +59,26 @@ diff -Naur cyrus-imapd-2.3.7.orig/lib/imapoptions cyrus-imapd-2.3.7/lib/imapopti
 +/* The pathname of the sendsms executable.  Sieve invokes sendsms
 +   for sending SMS notifications. */
 +
- { "servername", NULL, STRING }
- /* This is the hostname visible in the greeting messages of the POP,
-    IMAP and LMTP daemons. If it is unset, then the result returned
-diff -Naur cyrus-imapd-2.3.7.orig/man/imapd.conf.5 cyrus-imapd-2.3.7/man/imapd.conf.5
---- cyrus-imapd-2.3.7.orig/man/imapd.conf.5	2006-07-10 16:31:52.000000000 +0200
-+++ cyrus-imapd-2.3.7/man/imapd.conf.5	2006-07-14 10:27:29.000000000 +0200
-@@ -691,6 +691,9 @@
+ { "serverlist", NULL, STRING }
+ /* Whitespace separated list of backend server names.  Used for
+    finding server with the most available free space for proxying
+diff -up cyrus-imapd-2.3.15/man/imapd.conf.5.notify_sms cyrus-imapd-2.3.15/man/imapd.conf.5
+--- cyrus-imapd-2.3.15/man/imapd.conf.5.notify_sms	2009-09-09 15:19:48.000000000 +0200
++++ cyrus-imapd-2.3.15/man/imapd.conf.5	2009-09-18 11:51:26.441839866 +0200
+@@ -771,6 +771,9 @@ Allowed values: \fIflat\fR, \fIberkeley\
  .IP "\fBsendmail:\fR /usr/lib/sendmail" 5
  The pathname of the sendmail executable.  Sieve invokes sendmail
  for sending rejections, redirects and vacation responses. 
 +.IP "\fBsendsms:\fR /usr/bin/sendsms" 5
 +The pathname of the sendsms executable.  Sieve invokes sendsms
 +for sending SMS notifications. 
- .IP "\fBservername:\fR <none>" 5
- This is the hostname visible in the greeting messages of the POP,
- IMAP and LMTP daemons. If it is unset, then the result returned
-diff -Naur cyrus-imapd-2.3.7.orig/man/notifyd.8 cyrus-imapd-2.3.7/man/notifyd.8
---- cyrus-imapd-2.3.7.orig/man/notifyd.8	2003-08-10 01:43:14.000000000 +0200
-+++ cyrus-imapd-2.3.7/man/notifyd.8	2006-07-14 10:27:29.000000000 +0200
-@@ -110,6 +110,11 @@
+ .IP "\fBserverlist:\fR <none>" 5
+ Whitespace separated list of backend server names.  Used for
+ finding server with the most available free space for proxying
+diff -up cyrus-imapd-2.3.15/man/notifyd.8.notify_sms cyrus-imapd-2.3.15/man/notifyd.8
+--- cyrus-imapd-2.3.15/man/notifyd.8.notify_sms	2008-04-04 14:47:00.000000000 +0200
++++ cyrus-imapd-2.3.15/man/notifyd.8	2009-09-18 11:49:42.225115999 +0200
+@@ -111,6 +111,11 @@ Email the notification.  This method can
  Sieve 'notify' action as it requires a \fImailto:\fR URL to be
  specified as an \fI:option\fR.
  .TP
@@ -90,10 +90,10 @@ diff -Naur cyrus-imapd-2.3.7.orig/man/notifyd.8 cyrus-imapd-2.3.7/man/notifyd.8
  .B zephyr
  Send the notification as a zephyrgram.  If used in a Sieve 'notify'
  action, additional recipients can be specified as \fI:options\fR.
-diff -Naur cyrus-imapd-2.3.7.orig/notifyd/Makefile.in cyrus-imapd-2.3.7/notifyd/Makefile.in
---- cyrus-imapd-2.3.7.orig/notifyd/Makefile.in	2004-05-31 20:22:59.000000000 +0200
-+++ cyrus-imapd-2.3.7/notifyd/Makefile.in	2006-07-14 10:27:29.000000000 +0200
-@@ -82,7 +82,7 @@
+diff -up cyrus-imapd-2.3.15/notifyd/Makefile.in.notify_sms cyrus-imapd-2.3.15/notifyd/Makefile.in
+--- cyrus-imapd-2.3.15/notifyd/Makefile.in.notify_sms	2009-09-18 11:49:42.172115947 +0200
++++ cyrus-imapd-2.3.15/notifyd/Makefile.in	2009-09-18 11:49:42.225115999 +0200
+@@ -85,7 +85,7 @@ all: notifyd
  install:
  	$(INSTALL) -m 755 notifyd $(DESTDIR)$(service_path)
  
@@ -102,10 +102,10 @@ diff -Naur cyrus-imapd-2.3.7.orig/notifyd/Makefile.in cyrus-imapd-2.3.7/notifyd/
  
  notifytest: notifytest.o
  	$(CC) $(LDFLAGS) -o notifytest \
-diff -Naur cyrus-imapd-2.3.7.orig/notifyd/notifyd.h cyrus-imapd-2.3.7/notifyd/notifyd.h
---- cyrus-imapd-2.3.7.orig/notifyd/notifyd.h	2003-02-13 21:15:48.000000000 +0100
-+++ cyrus-imapd-2.3.7/notifyd/notifyd.h	2006-07-14 10:27:29.000000000 +0200
-@@ -48,6 +48,7 @@
+diff -up cyrus-imapd-2.3.15/notifyd/notifyd.h.notify_sms cyrus-imapd-2.3.15/notifyd/notifyd.h
+--- cyrus-imapd-2.3.15/notifyd/notifyd.h.notify_sms	2008-03-24 20:59:32.000000000 +0100
++++ cyrus-imapd-2.3.15/notifyd/notifyd.h	2009-09-18 11:49:42.233116003 +0200
+@@ -47,6 +47,7 @@
  #include "notify_null.h"
  #include "notify_log.h"
  #include "notify_mailto.h"
@@ -113,7 +113,7 @@ diff -Naur cyrus-imapd-2.3.7.orig/notifyd/notifyd.h cyrus-imapd-2.3.7/notifyd/no
  #include "notify_zephyr.h"
  
  /* Notify method dispatch table definition */
-@@ -64,6 +65,7 @@
+@@ -63,6 +64,7 @@ notifymethod_t methods[] = {
      { "null",	notify_null },		/* do nothing */
      { "log",	notify_log },		/* use syslog (for testing) */
      { "mailto",	notify_mailto },	/* send an email */
@@ -121,9 +121,9 @@ diff -Naur cyrus-imapd-2.3.7.orig/notifyd/notifyd.h cyrus-imapd-2.3.7/notifyd/no
  #ifdef HAVE_ZEPHYR
      { "zephyr",	notify_zephyr },	/* send a zephyrgram */
  #endif
-diff -Naur cyrus-imapd-2.3.7.orig/notifyd/notify_sms.c cyrus-imapd-2.3.7/notifyd/notify_sms.c
---- cyrus-imapd-2.3.7.orig/notifyd/notify_sms.c	1970-01-01 01:00:00.000000000 +0100
-+++ cyrus-imapd-2.3.7/notifyd/notify_sms.c	2006-07-14 10:29:10.000000000 +0200
+diff -up /dev/null cyrus-imapd-2.3.15/notifyd/notify_sms.c
+--- /dev/null	2009-09-11 15:21:01.808252010 +0200
++++ cyrus-imapd-2.3.15/notifyd/notify_sms.c	2009-09-18 11:49:42.233116003 +0200
 @@ -0,0 +1,116 @@
 +/* notify_sms.c -- SMS notification method
 + * Simon Matter
@@ -241,9 +241,9 @@ diff -Naur cyrus-imapd-2.3.7.orig/notifyd/notify_sms.c cyrus-imapd-2.3.7/notifyd
 +
 +    return strdup("OK sms notification successful");
 +}
-diff -Naur cyrus-imapd-2.3.7.orig/notifyd/notify_sms.h cyrus-imapd-2.3.7/notifyd/notify_sms.h
---- cyrus-imapd-2.3.7.orig/notifyd/notify_sms.h	1970-01-01 01:00:00.000000000 +0100
-+++ cyrus-imapd-2.3.7/notifyd/notify_sms.h	2006-07-14 10:29:10.000000000 +0200
+diff -up /dev/null cyrus-imapd-2.3.15/notifyd/notify_sms.h
+--- /dev/null	2009-09-11 15:21:01.808252010 +0200
++++ cyrus-imapd-2.3.15/notifyd/notify_sms.h	2009-09-18 11:49:42.233116003 +0200
 @@ -0,0 +1,61 @@
 +/* notify_sms.h -- SMS notification method
 + * Simon Matter

cyrus-imapd.spec

@@ -1,6 +1,6 @@
 Name: cyrus-imapd
-Version: 2.3.14
-Release: 6%{?dist}
+Version: 2.3.15
+Release: 1%{?dist}
 
 # ********************** BUILD TIME OPTIONS START **********************
 
@@ -72,7 +72,6 @@ URL: http://cyrusimap.web.cmu.edu/
 #Vendor: Invoca Systems
 #Distribution: Invoca Linux Server
 Source0: ftp://ftp.andrew.cmu.edu/pub/cyrus/%{name}-%{version}.tar.gz
-#Source2: http://ftp.gnu.org/gnu/autoconf/autoconf-%{_acversion}.tar.gz
 Source3: cyrus-deliver-wrapper.c
 Source4: cyrus-user-procmailrc.template
 Source5: cyrus-imapd.logrotate
@@ -116,7 +115,7 @@ Patch15: cyrus-imapd-2.3.1-make_md5_defaults.patch
 Patch18: cyrus-imapd-2.3.7-krb4.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=461875
 Patch19: cyrus-imapd-2.3.12p2-current-db.patch
-Patch20: cyrus-imapd-2.3.13-bufov.patch
+Patch20: cyrus-imapd-2.3.15-bufov.patch
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 BuildRequires: autoconf >= 2.59
 BuildRequires: cyrus-sasl-devel >= 2.1.15-1, perl-devel, tcp_wrappers
@@ -600,6 +599,7 @@ fi
 %{_cyrexecdir}/arbitronsort.pl
 %{_cyrexecdir}/chk_cyrus
 %{_cyrexecdir}/convert-sieve.pl
+%{_cyrexecdir}/cyr_df
 %{_cyrexecdir}/ctl_cyrusdb
 %{_cyrexecdir}/ctl_deliver
 %{_cyrexecdir}/ctl_mboxlist
@@ -731,7 +731,10 @@ fi
 %{_mandir}/man1/*
 
 %changelog
-* Wed Sep 16 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.14-6
+* Fri Sep 18 2009 Michal Hlavinka <mhlavink@redhat.com> - 2.3.15-1
+- fix buffer overflow in cyrus sieve (CVE-2009-3235)
+
+-* Wed Sep 16 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.14-6
 - use password-auth common PAM configuration instead of system-auth
 
 * Mon Sep 07 2009 Michal Hlavinka <mhlavink@redhat.com> - 2.3.14-5