|Summary:||CVE-2008-2829 php: ext/imap legacy routine buffer overflow|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||fedora, jorton, rpm|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-05-31 11:22:10 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Tomas Hoger 2008-06-25 08:04:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2829 to the following vulnerability: php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message. Refences: http://bugs.php.net/bug.php?id=42862 https://bugs.gentoo.org/show_bug.cgi?id=221969 http://www.openwall.com/lists/oss-security/2008/06/19/6
Comment 1 Joe Orton 2008-07-24 10:40:46 UTC
The situation seems to be this: The "legacy" function rfc822_write_address in the uw-imap c-client library is used by the PHP "imap" extension to format lists of addresses. The function will be used in the simple path of reading and parsing the contents of a mailbox from an IMAP server. This becomes relevant to security because the lists of addresses in question are the To, From, Cc, etc headers; under the control of the people sending you mail. This function historically did not take account of buffer overflow, nor does the API provide an opportunity to avoid or detect buffer overflow. So, the PHP imap extension was changed to: 1) calculate the buffer size that would be needed by rfc822_write_address, and 2) either allocate a buffer large enough, or fail/ignore the address if exceeding a fixed-size stack buffer limit There have PHP errata over the years introducing/correcting these changes in RHEL, see e.g. bug 174999. At some point, uw-imap libc-client was changed so that the rfc822_write_address() would now abort() if an arbitrary fixed size limit is passed - 16K characters. When this occurs with PHP, no buffer overflow would (should!) have occurred in the case that abort() is called, because PHP takes care to avoid that as explained above. But it presents an effective DoS; people who send you carefully crafted e-mails can deny you access to your webmail, reduce Apache performance by terminating processes prematurely, etc. The issue here doesn't affect RHEL because we don't ship the newer versions of c-client which arbitrarily call abort(). Fedora does ship the newer versions, however.
Comment 2 Joe Orton 2008-07-24 10:41:51 UTC
The issue here doesn't affect RHEL, that comment should have read, sorry.
Comment 3 Tomas Hoger 2008-12-05 16:02:54 UTC
This issue was addressed upstream in 5.2.7: http://www.php.net/releases/5_2_7.php http://www.php.net/ChangeLog-5.php#5.2.7
Comment 4 Fedora Update System 2009-05-30 02:33:54 UTC
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-05-30 02:37:58 UTC
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.