Bug 170521

Summary: libc-client may allow execution of arbitrary code (CAN-2005-2933)
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: libc-clientAssignee: Joe Orton <jorton>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-01 19:05:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to check quoting bounaries in mail.c none

Description Michal Jaegermann 2005-10-12 15:38:23 UTC
Description of problem:

Quoting a corresponding Gentoo advisory GLSA 200510-10: "Improper bounds 
checking of user supplied data while parsing IMAP mailbox names can lead to
overflowing the stack buffer". See:
http://www.linuxsecurity.com/content/view/120575
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933

It looks like the attached patch is needed.

The issue will affect really not only FC4 but all distributions which use
libc-client and/or imap-2002e code.

Version-Release number of selected component (if applicable):
libc-client-2002e-9

Comment 1 Michal Jaegermann 2005-10-12 15:38:23 UTC
Created attachment 119841 [details]
patch to check quoting bounaries in mail.c

Comment 2 Joe Orton 2005-10-13 12:15:14 UTC
I'm not sure that this has security implications for libc-client.

The bug appears to be triggered by an attacker supplying a malformed mailbox
name to the IMAP server.

Comment 3 Michal Jaegermann 2005-10-13 15:57:07 UTC
> I'm not sure that this has security implications for libc-client.

Well, I am not sure either and that is why I wrote "may allow" in a subject.
OTOH a description says "C-client is a common API for accessing mailboxes".
This is used at least by 'php-imap' where various things can be build with
that, and a description claims 'pine', and who knows in what else way this
may be put, or was put, to use somewhere. We do deal here with a user
supplied data and a library which uses you do not control.

I do not have an example of an attack but trying to analyse and _predict_
all possible attack paths here seems to be rather not a cost effective
exercise vis-a-vis a simple and "obviously correct" patch.

Not mentioning effects of this hole where imap-2002 may be directly
used in still supported distros if any (early RHEL?).

Comment 4 Michal Jaegermann 2005-10-27 00:34:52 UTC
See http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:194
The only difference is that AFAICS imap.so from php-imap in FC is
dynamically linked to libc-client.so so fixing that library, and restarting
apache, should be enough.

How this is for other distributions from Red Hat I do not know.

Comment 5 Michal Jaegermann 2005-12-01 19:05:50 UTC

*** This bug has been marked as a duplicate of 171345 ***