CVE-2009-3235

2009-09-1700:00:00

ubuntu.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.019 Low

EPSS

Percentile

88.4%

JSON

Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0
before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow
context-dependent attackers to cause a denial of service (crash) and
possibly execute arbitrary code via a crafted SIEVE script, as demonstrated
by forwarding an e-mail message to a large number of recipients, a
different vulnerability than CVE-2009-2632.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547947 (cyrus-imapd)>

Notes

Author	Note
mdeslaur	version specified is of dovecot-sieve, not of the dovecot itself although code is present in dapper’s dovecot, we don’t compile the sieve plugin

OSVersionArchitecturePackageVersionFilename
ubuntu9.04noarchcyrus-imapd-2.2< 2.2.13-14ubuntu3.1UNKNOWN
ubuntu8.04noarchdovecot< 1:1.0.10-1ubuntu5.2UNKNOWN
ubuntu8.10noarchdovecot< 1:1.1.4-0ubuntu1.3UNKNOWN
ubuntu9.04noarchdovecot< 1:1.1.11-0ubuntu4.1UNKNOWN
ubuntu9.10noarchdovecot< 1:1.1.11-0ubuntu9UNKNOWN
ubuntu10.04noarchdovecot< 1:1.1.11-0ubuntu9UNKNOWN
ubuntu10.10noarchdovecot< 1:1.1.11-0ubuntu9UNKNOWN
ubuntu11.04noarchdovecot< 1:1.1.11-0ubuntu9UNKNOWN
ubuntu11.10noarchdovecot< 1:1.1.11-0ubuntu9UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	9.04	noarch	cyrus-imapd-2.2	< 2.2.13-14ubuntu3.1	UNKNOWN
ubuntu	8.04	noarch	dovecot	< 1:1.0.10-1ubuntu5.2	UNKNOWN
ubuntu	8.10	noarch	dovecot	< 1:1.1.4-0ubuntu1.3	UNKNOWN
ubuntu	9.04	noarch	dovecot	< 1:1.1.11-0ubuntu4.1	UNKNOWN
ubuntu	9.10	noarch	dovecot	< 1:1.1.11-0ubuntu9	UNKNOWN
ubuntu	10.04	noarch	dovecot	< 1:1.1.11-0ubuntu9	UNKNOWN
ubuntu	10.10	noarch	dovecot	< 1:1.1.11-0ubuntu9	UNKNOWN
ubuntu	11.04	noarch	dovecot	< 1:1.1.11-0ubuntu9	UNKNOWN
ubuntu	11.10	noarch	dovecot	< 1:1.1.11-0ubuntu9	UNKNOWN