The Cyrus IMAP Server is an e-mail application that uses the Internet
Message Access Protocol (IMAP). It allows an user to perform certain mail
functions on a remote server rather than on a local computer.
Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
overflow in cyrus imapd. The problem resides in the way memory is managed
(an integer overflow can cause less memory than needed to be allocated).
This vulnerability[2] may be exploited prior to authentication to the IMAP
server and could allow a remote attacker to read other users' mail and to
execute arbitrary code with the privileges of the user running the IMAP
server (Conectiva Linux has a special unprivileged user called 'cyrus'
responsible for that).
