Bug 170521 - libc-client may allow execution of arbitrary code (CAN-2005-2933)
libc-client may allow execution of arbitrary code (CAN-2005-2933)
Status: CLOSED DUPLICATE of bug 171345
Product: Fedora
Classification: Fedora
Component: libc-client (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-10-12 11:38 EDT by Michal Jaegermann
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-01 14:05:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to check quoting bounaries in mail.c (577 bytes, patch)
2005-10-12 11:38 EDT, Michal Jaegermann
no flags Details | Diff

  None (edit)
Description Michal Jaegermann 2005-10-12 11:38:23 EDT
Description of problem:

Quoting a corresponding Gentoo advisory GLSA 200510-10: "Improper bounds 
checking of user supplied data while parsing IMAP mailbox names can lead to
overflowing the stack buffer". See:

It looks like the attached patch is needed.

The issue will affect really not only FC4 but all distributions which use
libc-client and/or imap-2002e code.

Version-Release number of selected component (if applicable):
Comment 1 Michal Jaegermann 2005-10-12 11:38:23 EDT
Created attachment 119841 [details]
patch to check quoting bounaries in mail.c
Comment 2 Joe Orton 2005-10-13 08:15:14 EDT
I'm not sure that this has security implications for libc-client.

The bug appears to be triggered by an attacker supplying a malformed mailbox
name to the IMAP server.
Comment 3 Michal Jaegermann 2005-10-13 11:57:07 EDT
> I'm not sure that this has security implications for libc-client.

Well, I am not sure either and that is why I wrote "may allow" in a subject.
OTOH a description says "C-client is a common API for accessing mailboxes".
This is used at least by 'php-imap' where various things can be build with
that, and a description claims 'pine', and who knows in what else way this
may be put, or was put, to use somewhere. We do deal here with a user
supplied data and a library which uses you do not control.

I do not have an example of an attack but trying to analyse and _predict_
all possible attack paths here seems to be rather not a cost effective
exercise vis-a-vis a simple and "obviously correct" patch.

Not mentioning effects of this hole where imap-2002 may be directly
used in still supported distros if any (early RHEL?).
Comment 4 Michal Jaegermann 2005-10-26 20:34:52 EDT
See http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:194
The only difference is that AFAICS imap.so from php-imap in FC is
dynamically linked to libc-client.so so fixing that library, and restarting
apache, should be enough.

How this is for other distributions from Red Hat I do not know.
Comment 5 Michal Jaegermann 2005-12-01 14:05:50 EST

*** This bug has been marked as a duplicate of 171345 ***

Note You need to log in before you can comment on or make changes to this bug.