Bug 477227 (CVE-2008-5514)

Summary: CVE-2008-5514 libc-client: buffer overflow in rfc822_output_char / rfc822_output_data
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jdennis, jima, jorton, joshuadfranklin, rdieter
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-07 14:03:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 770368, 770369    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch none

Description Tomas Hoger 2008-12-19 18:41:51 UTC
Ludwig Nussel reported a flaw in libc-client / uw-imap:

The rfc822_output_char() function in the uw-imap c-client library does not check whether the buffer is already full and may therefore write one byte too much. This leads to a segfault in rfc822_output_data() later due to memcpy with size -1.

Issue was fixed in imap-2007e:
  Updated: 16 December 2008

  imap-2007e is a maintenance release, consisting primarily of bugfixes to
  problems discovered in the release that affected a small number of users
  plus a security fix for users of the RFC822BUFFER routines.

Comment 1 Tomas Hoger 2008-12-19 18:43:17 UTC
Created attachment 327481 [details]
Upstream patch

Comment 2 Tomas Hoger 2008-12-19 18:46:32 UTC
imap/libc-client source code is also embedded in alpine sources.  This issue was already fixed in alpine SVN:
  https://svn.cac.washington.edu/public/alpine/snapshots/

However, it's not clear whether this flaw is really triggerable in alpine.

Comment 3 Tomas Hoger 2008-12-19 18:48:19 UTC
This issue did not affect versions of imap as shipped in Red Hat Enterprise Linux 2.1 and 3, and libc-client in Red Hat Enterprise Linux 4 and 5, as they do not include affected functions.  They seem to have been introduced in imap-2005.

Comment 6 Tomas Hoger 2008-12-19 18:50:56 UTC
Additionally, according to upstream, this flaw most likely does not affect impad, but may affect other applications using c-client, such as PHP.

Comment 7 Tomas Hoger 2009-01-07 16:04:43 UTC
Rex, I see new 2007e uw-imap in Koji and no update request.  Any known issues with new 2007e?  Can they be submitted as updates?

Comment 8 Rex Dieter 2009-01-07 16:08:37 UTC
updates need to happen yes.  I just didn't personally have time... and asked my fedora comaintainers to issue an update (I suppose everyone is busy).

Comment 9 Fedora Update System 2009-01-12 11:06:28 UTC
uw-imap-2007e-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/uw-imap-2007e-1.fc10

Comment 10 Fedora Update System 2009-01-12 11:06:33 UTC
uw-imap-2007e-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/uw-imap-2007e-1.fc9

Comment 11 Tomas Hoger 2009-01-12 11:07:42 UTC
Testing update requests submitted.

Comment 12 Fedora Update System 2009-01-21 21:36:57 UTC
uw-imap-2007e-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-01-21 21:39:06 UTC
uw-imap-2007e-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Kurt Seifried 2011-12-26 07:47:36 UTC
This also reportedly affects alpine

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653238

Comment 15 Kurt Seifried 2011-12-26 07:51:15 UTC
Created alpine tracking bugs for this issue

Affects: fedora-all [bug 770368]
Affects: epel-all [bug 770369]

Comment 16 Joshua Daniel Franklin 2011-12-26 19:12:42 UTC
Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is based off the dead upstream project 2.00, while we base off [re-]alpine 2.02 from http://re-alpine.sourceforge.net/ 

The patch was applied upstream 10 Jun 2009 by Andraž Levstik with note "updated imap to 2007e per Mark Crispin's suggestion":

http://re-alpine.git.sourceforge.net/git/gitweb.cgi?p=re-alpine/re-alpine;a=commitdiff;h=3f20a0fc24537497ca1291ed04c8fb9848a19978;hp=1880d23af62bfdd11c9b43235429b81984093c99

I'll close NOTABUG but feel free to recommend otherwise, for example if it would make sense to mention the CVE in a changelog entry even just for bookkeeping purposes.

Comment 17 Tomas Hoger 2011-12-28 12:36:10 UTC
(In reply to comment #16)
> Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is
> based off the dead upstream project 2.00, while we base off [re-]alpine 2.02
> from http://re-alpine.sourceforge.net/ 

EPEL is using 2.00 too, and does not seem to have fix applied.

EPEL-4: http://koji.fedoraproject.org/packages/alpine/2.00/1.el4
EPEL-5: http://koji.fedoraproject.org/packages/alpine/2.00/1.el5
EPEL-6: http://koji.fedoraproject.org/packages/alpine/2.00/9.el6

Comment 18 Joshua Daniel Franklin 2011-12-29 00:05:14 UTC
Oh my, better fix that. I just committed a new 2.02-3 spec to el5 branch, mockbuild worked for me but build failed on koji just now so I'll work some more on this to get all the EPELs updated.

http://pkgs.fedoraproject.org/gitweb/?p=alpine.git;a=commitdiff;h=d18633bd1ab8cda7bf96240aa6a29ec178166b52

Comment 19 Joshua Daniel Franklin 2011-12-29 06:37:28 UTC
Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch" error from mock) but here's the el5 and el6:

https://admin.fedoraproject.org/updates/alpine-2.02-3.el5

https://admin.fedoraproject.org/updates/alpine-2.02-3.el6

Comment 20 Tomas Hoger 2011-12-29 07:47:35 UTC
(In reply to comment #19)
> Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch"
> error from mock)

Have you tried creating SRPM using rpmbuild-md5 from fedora-packager?

Comment 21 Joshua Daniel Franklin 2011-12-29 15:46:31 UTC
Thanks, rpmbuild-md5 -bs --define 'dist .el4' alpine.spec did the trick. 

Here's all three, this bug and the epel child should automatically close once they get enough karma to head to stable:

https://admin.fedoraproject.org/updates/alpine-2.02-3.el4

https://admin.fedoraproject.org/updates/alpine-2.02-3.el5

https://admin.fedoraproject.org/updates/alpine-2.02-3.el6