Bug 452808 (CVE-2008-2829)

Summary: CVE-2008-2829 php: ext/imap legacy routine buffer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2829
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-31 11:22:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-06-25 08:04:59 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2829 to the following vulnerability:

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.

Refences:
http://bugs.php.net/bug.php?id=42862
https://bugs.gentoo.org/show_bug.cgi?id=221969
http://www.openwall.com/lists/oss-security/2008/06/19/6
Comment 1 Joe Orton 2008-07-24 10:40:46 UTC 
The situation seems to be this:

The "legacy" function rfc822_write_address in the uw-imap c-client library is
used by the PHP "imap" extension to format lists of addresses.  The function
will be used in the simple path of reading and parsing the contents of a mailbox
from an IMAP server.  This becomes relevant to security because the lists of
addresses in question are the To, From, Cc, etc headers; under the control of
the people sending you mail.

This function historically did not take account of buffer overflow, nor does the
API provide an opportunity to avoid or detect buffer overflow.  So, the PHP imap
extension was changed to:

1) calculate the buffer size that would be needed by rfc822_write_address, and
2) either allocate a buffer large enough, or fail/ignore the address if
exceeding a fixed-size stack buffer limit

There have PHP errata over the years introducing/correcting these changes in
RHEL, see e.g. bug 174999.

At some point, uw-imap libc-client was changed so that the
rfc822_write_address() would now abort() if an arbitrary fixed size limit is
passed - 16K characters.  When this occurs with PHP, no buffer overflow would
(should!) have occurred in the case that abort() is called, because PHP takes
care to avoid that as explained above.  But it presents an effective DoS; people
who send you carefully crafted e-mails can deny you access to your webmail,
reduce Apache performance by terminating processes prematurely, etc.

The issue here doesn't affect RHEL[23] because we don't ship the newer versions
of c-client which arbitrarily call abort().  Fedora does ship the newer
versions, however.
Comment 2 Joe Orton 2008-07-24 10:41:51 UTC 
The issue here doesn't affect RHEL[2345], that comment should have read, sorry.
Comment 3 Tomas Hoger 2008-12-05 16:02:54 UTC 
This issue was addressed upstream in 5.2.7:
  http://www.php.net/releases/5_2_7.php
  http://www.php.net/ChangeLog-5.php#5.2.7
Comment 4 Fedora Update System 2009-05-30 02:33:54 UTC 
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-05-30 02:37:58 UTC 
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.