From owner-doc-jp@jp.freebsd.org  Sun May 14 21:02:48 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id VAA16592;
	Sun, 14 May 2000 21:02:48 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp01.246.ne.jp (smtp01.246.ne.jp [210.253.192.35])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id VAA16586
	for <doc-jp@jp.freebsd.org>; Sun, 14 May 2000 21:02:47 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 12898 invoked by alias); 14 May 2000 21:02:42 +0900
Message-ID: <20000514120242.12896.qmail@smtp.246.ne.jp>
Received: (qmail 12881 invoked from network); 14 May 2000 21:02:41 +0900
Received: from tp4hr085.246.ne.jp (HELO localhost) (210.253.193.85)
  by smtp.246.ne.jp with SMTP; 14 May 2000 21:02:41 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <200005141025.TAA02319@mail.geocities.co.jp>
References: <20000424224634.8A4B337B5AA@hub.freebsd.org>
	<200005141025.TAA02319@mail.geocities.co.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 14 May 2000 21:02:39 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7375
Subject: [doc-jp 7375] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:14.imap-uw
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

Hiroki Sato <hrs@geocities.co.jp>:
>  00:14 $B$NK]Lu$G$9!#(B

$B$Q$A$Q$A$Q$A!y(B
> =============================================================================
> FreeBSD-SA-00:14                                           Security Advisory
> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> There are numerous buffer overflows available to an imap user after
> they have successfully logged into their mail account
> (i.e. authenticated themselves by giving the correct password,
> etc).
> IMAP $B%5!<%P$K%m%0%$%s$7$?(B($B$D$^$j(B, $B@5$7$$%Q%9%o!<%I$J$I$rDs<($9$k$3$H$G(B
> $BG'>Z$r<u$1$?(B)$B%f!<%6$KBP$7$F(B, $BHs>o$KB?$/$N%P%C%U%!%U%m!<LdBj$,B8:_$7$^$9(B.

$B%P%C%U%!%*!<%P%U%m!<$G$9$M!#0J2<F1MM!#!V%P%C%U%!%U%m!<LdBj!W$H8@$&$3$H(B
$B$O7h$7$F$"$j$^$;$s!#(B

> Once the user logs in, imapd has dropped root privileges and is
> running as the user ID of the mail account which has been logged into,
> so the buffer overflow can only allow code to be executed as that
> user.
> $B%f!<%6$,%m%0%$%s$9$k$H(B, imapd $B$O(B root $B8"8B$rL58z2=$7(B, $B%m%0%$%s$7$?%f!<%6$N(B
> $B8"8B$GF0:n$9$k$h$&$K$J$j$^$9(B.  $B$=$N$?$a(B, $B$3$N%P%C%U%!%U%m!<LdBj$r(B
> $B0-MQ$7$?>l9g(B, $B$=$N%f!<%6$N8"8B$G%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9(B.

$B$3$3$G$O(B only $B$H$$$&$3$H$r0lHV8@$$$?$$$s$8$c$J$$$+$H;W$&$N$G$9$,!"$3$l(B
$B$,>C$($F$$$^$9!#(B

> Thus, the vulnerability is only relevant on a "closed" mail server,
> i.e. one which does not normally allow interactive logins by mail
> users.
> $B$7$?$,$C$F(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$O!VJD$8$?!W%a!<%k%5!<%P$K(B
> $B$*$$$F$N$_LdBj$K$J$j$^$9(B.  $B!VJD$8$?!W%a!<%k%5!<%P$H$O(B, $B86B'E*$K(B
> $B%a!<%k$rMxMQ$9$k%f!<%6$KBP$7$FBPOC7?%m%0%$%s$r5v2D$7$F$$$J$$$b$N$G$9(B.

$B$3$3$G$O!VJD$8$?!W$H$$$&$N$,$I$&$$$&$3$H$J$N$+$r@bL@$7$F$$$k$N$G$9$,!"(B
$B!V86B'E*$K!D$b$N$G$9!W$H$7$F$7$^$&$H!"$"$^$j@bL@$C$]$/$J$$$G$9!#(B
$B!V!D$b$N$r;X$7$^$9!W$J$s$F$9$k$H$$$$$N$+$J!)(B

> V.   $B=$@5=hCV(B - Solution
> 
> Unfortunately the vulnerabilities in imapd are quite extensive and no
> patch is currently available to address them.
> $B;DG0$J$,$i(B, imapd $B$KB8:_$9$k$3$N%;%-%e%j%F%#>e$N<eE@$O(B, $B9-$$HO0O$K(B
> $B9-$,$C$F$*$j(B, $B$=$l$i$r=$@5$9$k%Q%C%A$O8=;~E@$GDs6!$5$l$F$$$^$;$s(B.

$B!V9-$$HO0O$K9-$,$C$F$*$j!W$O%$%^%$%A$G$9$M!#(B
----
$B$3$,$h$&$$$A$m$&(B
