FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Cyrus IMAP pre-authentication heap overflow vulnerability

Affected packages
cyrus-imapd < 2.0.17
2.1 <= cyrus-imapd < 2.1.11


VuXML ID 35f6fdf8-a425-11d8-9c6d-0020ed76ef5a
Discovery 2002-12-02
Entry 2004-05-12
Modified 2004-06-27

In December 2002, Timo Sirainen reported:

Cyrus IMAP server has a remotely exploitable pre-login buffer overflow. [...] Note that you don't have to log in before exploiting this, and since Cyrus runs everything under one UID, it's possible to read every user's mail in the system.

It is unknown whether this vulnerability is exploitable for code execution on FreeBSD systems.


Bugtraq ID 6298
CERT/CC Vulnerability Note 740169
CVE Name CVE-2002-1580