Description of problem: Quoting a corresponding Gentoo advisory GLSA 200510-10: "Improper bounds checking of user supplied data while parsing IMAP mailbox names can lead to overflowing the stack buffer". See: http://www.linuxsecurity.com/content/view/120575 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933 It looks like the attached patch is needed. The issue will affect really not only FC4 but all distributions which use libc-client and/or imap-2002e code. Version-Release number of selected component (if applicable): libc-client-2002e-9
Created attachment 119841 [details] patch to check quoting bounaries in mail.c
I'm not sure that this has security implications for libc-client. The bug appears to be triggered by an attacker supplying a malformed mailbox name to the IMAP server.
> I'm not sure that this has security implications for libc-client. Well, I am not sure either and that is why I wrote "may allow" in a subject. OTOH a description says "C-client is a common API for accessing mailboxes". This is used at least by 'php-imap' where various things can be build with that, and a description claims 'pine', and who knows in what else way this may be put, or was put, to use somewhere. We do deal here with a user supplied data and a library which uses you do not control. I do not have an example of an attack but trying to analyse and _predict_ all possible attack paths here seems to be rather not a cost effective exercise vis-a-vis a simple and "obviously correct" patch. Not mentioning effects of this hole where imap-2002 may be directly used in still supported distros if any (early RHEL?).
See http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:194 The only difference is that AFAICS imap.so from php-imap in FC is dynamically linked to libc-client.so so fixing that library, and restarting apache, should be enough. How this is for other distributions from Red Hat I do not know.
*** This bug has been marked as a duplicate of 171345 ***