Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."

The Courier set of mail services use a common Unicode library. This library contains buffer overflows in the converters for two popular Japanese character encodings. These overflows may be remotely exploitable, triggered by a maliciously formatted email message that is later processed by one of the Courier mail services. From the release notes for the corrected versions of the Courier set of mail services :

iso2022jp.c: Converters became (upper-)compatible with ISO-2022-JP (RFC1468 / JIS X 0208:1997 Annex 2) and ISO-2022-JP-1 (RFC2237).
Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.

shiftjis.c: Broken SHIFT_JIS converters has been fixed and became (upper-)compatible with Shifted Encoding Method (JIS X 0208:1997 Annex 1). Buffer overflow vulnerability (when Unicode character is out of BMP range) has been closed. Convert error handling was implemented.

The remote host is affected by the vulnerability described in GLSA-200403-06 (Multiple remote buffer overflow vulnerabilities in Courier)

    The vulnerabilities have been found in the 'SHIFT_JIS' converter in     'shiftjis.c' and 'ISO2022JP' converter in 'so2022jp.c'. An attacker may     supply Unicode characters that exceed BMP (Basic Multilingual Plane) range,     causing an overflow.
  Impact :

    An attacker without privileges may exploit this vulnerability remotely, allowing arbitrary code to be executed in order to gain unauthorized access.
  Workaround :

    While a workaround is not currently known for this issue, all users are     advised to upgrade to the latest version of the affected packages.

The remote mail server is the Courier-IMAP imap server.  Versions of Courier-IMAP prior to 3.0.7 are prone to a remote buffer overflow and a remote format string vulnerability.

The remote mail server is the Courier MTA.  There is a buffer overflow in the Japanese codeset conversion functions of this software that may allow an attacker to execute arbitrary code on this host.

According to its version number, the version of Courier MTA running on the remote host has multiple buffer overflow vulnerabilities.  A remote attacker could exploit this to crash the service, or possibly execute arbitrary code.

ID	Name	Product	Family	Severity
19044	FreeBSD : Courier mail services: remotely exploitable buffer overflows (98bd69c3-834b-11d8-a41f-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
14457	GLSA-200403-06 : Multiple remote buffer overflow vulnerabilities in Courier	Nessus	Gentoo Local Security Checks	high
1210	Courier IMAP Server < 3.0.7 Multiple Vulnerabilities	Nessus Network Monitor	IMAP Servers	high
1206	Courier < 0.45 Japanese Codeset Conversion Overflows	Nessus Network Monitor	SMTP Servers	critical
12102	Courier < 0.45 Multiple Remote Overflows	Nessus	SMTP problems	critical

Detections

Analytics

CVE-2004-0224

critical

Tenable Plugins

high

high

high

critical

critical