CVE-2008-5005
Severity CVSS v4.0:
Pending analysis
Type:
CWE-119
Buffer Errors
Publication date:
10/11/2008
Last modified:
09/04/2025
Description
Multiple stack-based buffer overflows in (1) University of Washington IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine 2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain privileges by specifying a long folder extension argument on the command line to the tmail or dmail program; and (b) remote attackers to execute arbitrary code by sending e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, processed by the tmail or possibly dmail program.
Impact
Base Score 2.0
10.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:university_of_washington:alpine:0.80:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.81:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.82:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.83:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.98:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.99:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.999:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.9999:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.99999:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:0.999999:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:1.00:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:1.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:alpine:2.00:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:imap_toolkit:2002:*:*:*:*:*:*:* | ||
| cpe:2.3:a:university_of_washington:imap_toolkit:2003:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002267.html
- http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002268.html
- http://marc.info/?l=full-disclosure&m=122572590212610&w=4
- http://panda.com/imap/
- http://rhn.redhat.com/errata/RHSA-2009-0275.html
- http://secunia.com/advisories/32483
- http://secunia.com/advisories/32512
- http://secunia.com/advisories/33142
- http://secunia.com/advisories/33996
- http://securityreason.com/securityalert/4570
- http://securitytracker.com/id?1021131=
- http://support.avaya.com/elmodocs2/security/ASA-2009-065.htm
- http://www.bitsec.com/en/rad/bsa-081103.c
- http://www.bitsec.com/en/rad/bsa-081103.txt
- http://www.debian.org/security/2008/dsa-1685
- http://www.mandriva.com/security/advisories?name=MDVSA-2009%3A146
- http://www.openwall.com/lists/oss-security/2008/11/03/3
- http://www.openwall.com/lists/oss-security/2008/11/03/4
- http://www.openwall.com/lists/oss-security/2008/11/03/5
- http://www.securityfocus.com/archive/1/498002/100/0/threaded
- http://www.securityfocus.com/bid/32072
- http://www.vupen.com/english/advisories/2008/3042
- http://www.washington.edu/alpine/tmailbug.html
- https://bugzilla.redhat.com/show_bug.cgi?id=469667
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46281
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10485
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00058.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00082.html
- http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002267.html
- http://mailman2.u.washington.edu/pipermail/imap-uw/2008-October/002268.html
- http://marc.info/?l=full-disclosure&m=122572590212610&w=4
- http://panda.com/imap/
- http://rhn.redhat.com/errata/RHSA-2009-0275.html
- http://secunia.com/advisories/32483
- http://secunia.com/advisories/32512
- http://secunia.com/advisories/33142
- http://secunia.com/advisories/33996
- http://securityreason.com/securityalert/4570
- http://securitytracker.com/id?1021131=
- http://support.avaya.com/elmodocs2/security/ASA-2009-065.htm
- http://www.bitsec.com/en/rad/bsa-081103.c
- http://www.bitsec.com/en/rad/bsa-081103.txt
- http://www.debian.org/security/2008/dsa-1685
- http://www.mandriva.com/security/advisories?name=MDVSA-2009%3A146
- http://www.openwall.com/lists/oss-security/2008/11/03/3
- http://www.openwall.com/lists/oss-security/2008/11/03/4
- http://www.openwall.com/lists/oss-security/2008/11/03/5
- http://www.securityfocus.com/archive/1/498002/100/0/threaded
- http://www.securityfocus.com/bid/32072
- http://www.vupen.com/english/advisories/2008/3042
- http://www.washington.edu/alpine/tmailbug.html
- https://bugzilla.redhat.com/show_bug.cgi?id=469667
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46281
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10485
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00058.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00082.html