Red Hat Bugzilla – Bug 170521
libc-client may allow execution of arbitrary code (CAN-2005-2933)
Last modified: 2007-11-30 17:11:15 EST
Description of problem:
Quoting a corresponding Gentoo advisory GLSA 200510-10: "Improper bounds
checking of user supplied data while parsing IMAP mailbox names can lead to
overflowing the stack buffer". See:
It looks like the attached patch is needed.
The issue will affect really not only FC4 but all distributions which use
libc-client and/or imap-2002e code.
Version-Release number of selected component (if applicable):
Created attachment 119841 [details]
patch to check quoting bounaries in mail.c
I'm not sure that this has security implications for libc-client.
The bug appears to be triggered by an attacker supplying a malformed mailbox
name to the IMAP server.
> I'm not sure that this has security implications for libc-client.
Well, I am not sure either and that is why I wrote "may allow" in a subject.
OTOH a description says "C-client is a common API for accessing mailboxes".
This is used at least by 'php-imap' where various things can be build with
that, and a description claims 'pine', and who knows in what else way this
may be put, or was put, to use somewhere. We do deal here with a user
supplied data and a library which uses you do not control.
I do not have an example of an attack but trying to analyse and _predict_
all possible attack paths here seems to be rather not a cost effective
exercise vis-a-vis a simple and "obviously correct" patch.
Not mentioning effects of this hole where imap-2002 may be directly
used in still supported distros if any (early RHEL?).
The only difference is that AFAICS imap.so from php-imap in FC is
dynamically linked to libc-client.so so fixing that library, and restarting
apache, should be enough.
How this is for other distributions from Red Hat I do not know.
*** This bug has been marked as a duplicate of 171345 ***