CVE-2009-2632
NONE EPSS 38.1%
Published Sep 8, 200916y ago · Modified Jun 16, 20262w ago
Published Sep 8, 2009 16y ago
Last Modified Jun 16, 2026 2w ago
Description
Buffer overflow in the SIEVE script component (sieve/script.c), as used in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14, and Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error.
Threat Intelligence
EPSS Exploit Probability
38.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Memory Safety
Affected Products 2
References 22
- dovecot.org http://dovecot.org/list/dovecot-news/2009-September/000135.html
- lists.apple.com http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- secunia.com http://secunia.com/advisories/36629
- secunia.com http://secunia.com/advisories/36632
- secunia.com http://secunia.com/advisories/36698
- secunia.com http://secunia.com/advisories/36713
- secunia.com http://secunia.com/advisories/36904
- support.apple.com http://support.apple.com/kb/HT4077
- debian.org http://www.debian.org/security/2009/dsa-1881
- openwall.com http://www.openwall.com/lists/oss-security/2009/09/14/3
- osvdb.org http://www.osvdb.org/58103
- securityfocus.com http://www.securityfocus.com/bid/36296
- securityfocus.com http://www.securityfocus.com/bid/36377
- ubuntu.com http://www.ubuntu.com/usn/USN-838-1
- vupen.com http://www.vupen.com/english/advisories/2009/2559
- vupen.com http://www.vupen.com/english/advisories/2009/2641
- bugzilla.andrew.cmu.edu https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.62&r2=1.62.2.1&only_with_tag=cyrus-imapd-2_2-tail
- lists.andrew.cmu.edu https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
- lists.andrew.cmu.edu https://lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001254.html
- oval.cisecurity.org https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10082
- redhat.com https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html
Remediation
- debian.org http://www.debian.org/security/2009/dsa-1881
- securityfocus.com http://www.securityfocus.com/bid/36296
- vupen.com http://www.vupen.com/english/advisories/2009/2559