CVE-2009-2632

EUVD-2009-2626
Buffer overflow in the SIEVE script component (sieve/script.c), as used in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14, and Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 UNKNOWN
LOCAL
MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
cmucyrus_imap_server
2.2.13
cmucyrus_imap_server
2.3.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cyrus-imapd-2.2
dapper
ignored
hardy
ignored
intrepid
ignored
jaunty
Fixed 2.2.13-14ubuntu3.1
released
karmic
not-affected
lucid
not-affected
maverick
not-affected
natty
not-affected
oneiric
not-affected
dovecot
dapper
not-affected
hardy
Fixed 1:1.0.10-1ubuntu5.2
released
intrepid
Fixed 1:1.1.4-0ubuntu1.3
released
jaunty
Fixed 1:1.1.11-0ubuntu4.1
released
karmic
Fixed 1:1.1.11-0ubuntu9
released
lucid
Fixed 1:1.1.11-0ubuntu9
released
maverick
Fixed 1:1.1.11-0ubuntu9
released
natty
Fixed 1:1.1.11-0ubuntu9
released
oneiric
Fixed 1:1.1.11-0ubuntu9
released
kolab-cyrus-imapd
dapper
ignored
hardy
ignored
intrepid
ignored
jaunty
ignored
karmic
ignored
lucid
not-affected
maverick
not-affected
natty
not-affected
oneiric
not-affected
Common Weakness Enumeration
References
http://dovecot.org/list/dovecot-news/2009-September/000135.html
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://secunia.com/advisories/36629
http://secunia.com/advisories/36632
http://secunia.com/advisories/36698
http://secunia.com/advisories/36713
http://secunia.com/advisories/36904
http://support.apple.com/kb/HT4077
http://www.debian.org/security/2009/dsa-1881
http://www.openwall.com/lists/oss-security/2009/09/14/3
http://www.osvdb.org/58103
http://www.securityfocus.com/bid/36296
http://www.securityfocus.com/bid/36377
http://www.ubuntu.com/usn/USN-838-1
http://www.vupen.com/english/advisories/2009/2559
http://www.vupen.com/english/advisories/2009/2641
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.62&r2=1.62.2.1&only_with_tag=cyrus-imapd-2_2-tail
https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001254.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10082
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html
http://dovecot.org/list/dovecot-news/2009-September/000135.html
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://secunia.com/advisories/36629
http://secunia.com/advisories/36632
http://secunia.com/advisories/36698
http://secunia.com/advisories/36713
http://secunia.com/advisories/36904
http://support.apple.com/kb/HT4077
http://www.debian.org/security/2009/dsa-1881
http://www.openwall.com/lists/oss-security/2009/09/14/3
http://www.osvdb.org/58103
http://www.securityfocus.com/bid/36296
http://www.securityfocus.com/bid/36377
http://www.ubuntu.com/usn/USN-838-1
http://www.vupen.com/english/advisories/2009/2559
http://www.vupen.com/english/advisories/2009/2641
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.62&r2=1.62.2.1&only_with_tag=cyrus-imapd-2_2-tail
https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001254.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10082
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html