[LWN Logo]

Date:         Mon, 24 Apr 2000 15:46:35 -0700
From: FreeBSD Security Officer <security-officer@FREEBSD.ORG>
Subject:      FreeBSD Security Advisory: FreeBSD-SA-00:15.imap-uw
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:15                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:		imap-uw allows local users to deny service to any mailbox

Category:       ports
Module:         imap-uw
Announced:      2000-04-24
Credits:	Alex Mottram <alex@NET-CONNECT.NET> via BugTraq
Affects:        Ports collection.
Corrected:      See below.
Vendor status:	Notified.
FreeBSD only:   NO

I.   Background

imap-uw is a popular IMAP4/POP2/POP3 mail server from the University
of Washington.

II.  Problem Description

The imap-uw port supplies a "libc-client" library which provides
various functionality common to mail servers. The algorithm used for
locking of mailbox files contains a weakness which allows an
unprivileged local user to lock an arbitrary local mailbox.

In the case of POP2/POP3 servers, this means that the mailbox will not
be able to be accessed at all by the owner. In the case of IMAP4
servers, the folder can be opened for reading, but not writing
(i.e. can only be accessed read-only).

Note that this is a different vulnerability than that described in
FreeBSD Security Advisory 00:14, and affects all imap-uw servers which
provide shell-level access to users. However note that by virtue of
advisory 00:14, all users who can access their mail remotely via imap
can acquire such access even without explicit shell login access.

The imap-uw port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3200 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

A user who has, or who can obtain (see advisory 00:14) shell access to
the mail server can prevent an arbitrary mailbox from being opened via
pop2/pop3, or can force the mailbox to be only opened read-only via
imap.

If you have not chosen to install the imap-uw port/package, then your
system is not vulnerable to this problem.

IV.  Workaround

1) Deinstall the imap-uw port/package, if you you have installed it.

2) Consider using another POP2/POP3 server if you do not require IMAP
functionality. See the notes regarding alternative IMAP servers in
FreeBSD Security Advisory 00:14.

V.   Solution

No patch is currently available. It is encumbent on the imap-uw
developers to redesign the mailbox locking scheme to provide a secure
locking mechanism which is not vulnerable to local denial-of-service
attacks.

This advisory will be updated once the known vulnerabilities in
imap-uw have been addressed.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOQTN8FUuHi5z0oilAQH58gP+JtkvDh4EFR13jGKxb6PERkt9x6Cpy+DY
1P56XODBiK4tnbTjdke2JLLNUHpSYtN23h8zt1DtnlxnxunQa8Y6fhptbpgHUWAu
ZIJlLLnl0iQcjj3Lqwz2E2BaFsyZxlVSGQnD/EmI+tyZcY+oTYbomCgi1RW3kbn+
fmNJXmwTXCg=
=TwTN
-----END PGP SIGNATURE-----