FreeBSD : Cyrus IMAPd -- APPEND command uses undefined programming construct (31952117-3d17-11d9-8818-008088034841)

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

To support MULTIAPPENDS the cmd_append handler uses the global stage
array. This array is one of the things that gets destructed when the
fatal() function is triggered. When the Cyrus IMAP code adds new
entries to this array this is done with the help of the postfix
increment operator in combination with memory allocation functions.
The increment is performed on a global variable counting the number of
allocated stages. Because the memory allocation function can fail and
therefore internally call fatal() this construct is undefined
arcording to ANSI C. This means that it is not clearly defined if the
numstage counter is already increased when fatal() is called or not.
While older gcc versions increase the counter after the memory
allocation function has returned, on newer gcc versions (3.x) the
counter gets actually increased before. In such a case the stage
destructing process will try to free an uninitialised and maybe
attacker supplied pointer. Which again could lead to remote code
execution. (Because it is hard for an attacker to let the memory
allocation functions fail in the right moment no PoC code for this
problem was designed)

See also :

http://www.nessus.org/u?25075052
http://www.nessus.org/u?cb1bba45

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 18893 (freebsd_pkg_319521173d1711d98818008088034841.nasl)

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now