Stefan Esser discovered several buffer overflows in the Cyrus IMAP server. Due to insufficient checking within the argument parser of the “partial” and “fetch” commands, an argument like “body[p” was detected as “body.peek”. This could cause a buffer overflow which could be exploited to execute arbitrary attacker-supplied code.
This update also fixes an exploitable buffer overflow that could be triggered in situations when memory allocation fails (i. e. when no free memory is available any more).
Both vulnerabilities can lead to privilege escalation to root.