cyrus-sasl pop3 buffer overflow
Jason L Tibbitts III
tibbs at math.uh.edu
Mon May 22 14:17:58 UTC 2006
>>>>> "JB" == Josh Bressers <bressers at redhat.com> writes:
JB> The popsubfolders option seems to have been added after 2.3, FC5
JB> may be affected.
Yes, I think so. The cyrus-imapd package is weird; CVS devel "branch"
has an older version, while the built rawhide tree has the ".fc5"
tagged version.
Inspection of the code seems to indicate that 2.3.1 is indeed
vulnerable; the responsible code in imap/pop3d.c seems to be unchanged
between 2.3.1 and 2.3.2 (and 2.3.3, the latest version, so we'll have
to dig up a patch).
- J<
More information about the Fedora-security-list
mailing list