Bug 175040 - CVE-2002-2214 PHP segfault imap_fetch_overview() (CVE-2002-2215, CVE-2003-1302, CVE-2003-1303). Also - Multiple PHP vulnerabilities (CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1490 CVE-2006-1990)
CVE-2002-2214 PHP segfault imap_fetch_overview() (CVE-2002-2215, CVE-2003-130...
Product: Fedora Legacy
Classification: Retired
Component: php (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh73, rh90, 1, 2, 3, LEGACY
: Security
Depends On: 174463 174528 178028 187230 187510 190519 190524 190526 191474
  Show dependency treegraph
Reported: 2005-12-05 17:12 EST by John Dalbec
Modified: 2007-04-18 13:35 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-27 22:37:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Combined patch for listed PHP bugs. (8.72 KB, patch)
2005-12-05 17:20 EST, John Dalbec
no flags Details | Diff
the patch (5.95 KB, patch)
2006-06-14 08:52 EDT, Joe Orton
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 178028 None None None Never

  None (edit)
Description John Dalbec 2005-12-05 17:12:22 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20051012 Netscape/8.0.4

Description of problem:
If a mailbox contains a From: or To: header beginning with an overlong e-mail address, imap_fetch_overview() will segfault when processing that message.

This is one of several vulnerabilities where code in php_imap.c calls rfc822_write_address() to write an e-mail address to a buffer of fixed size without first checking that the e-mail address fits into the buffer.


Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Copy http://cc.ysu.edu/~jpdalbec/adam2.txt to an IMAP mailbox.
2. Access the mailbox using IMP 3.

Actual Results:  Web server segfaulted

Expected Results:  Mailbox should open and display overview.

Additional info:
Comment 1 John Dalbec 2005-12-05 17:14:09 EST
Oops, that's http://cc.ysu.edu/~jpdalbec/adam.txt
Comment 2 John Dalbec 2005-12-05 17:20:25 EST
Created attachment 121874 [details]
Combined patch for listed PHP bugs.
Comment 3 David Eisenstein 2006-01-17 18:07:48 EST
New Security bug:  CVE-2006-0208:
   "Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1 allow
remote attackers to inject arbitrary web script or HTML via unknown attack
vectors in 'certain error conditions.'"

As a result, PHP has released PHP 5.1.2  <http://www.php.net/release_5_1_2.php>.

Red Hat has opened a bug for RHEL4, Bug #178028.  Josh Bressers has determined
that his affects PHP 5.1 and PHP 4.3 releases.  Josh also states that RHEL 3 and
RHEL 2.1 are affected.

Josh says in Bug #178028, "The problem exists in the way PHP displays error
messages.  This issue is only exploitable when 'display_errors' and
'html_errors' are both set to 'On' in the PHP configuration file.  When a HTML
error message was being generated, the output was not properly sanitized, which
could allow an attacker to insert arbitrary HTML, thus allowing a XSS attack.

"This issue is only exploitable if 'html_errors' is on, which the configuration
file cleary states should not be used on production machines.

"I have verified this flaw exists in the PHP 4.3 and 5.1 branches."

RHEL 2.1 uses PHP 4.1.2.         RHL 7.3 uses PHP 4.1.2.
                                 RHL 9   uses PHP 4.2.2.
RHEL 3   uses PHP 4.3.2.
RHEL 4   uses PHP 4.3.9.
                                 FC1     uses PHP 4.3.11.
                                 FC2     uses PHP 4.3.11.
                                 FC3     uses PHP 4.3.11.

This issue therefore should affect RHL 7.3, RHL9, FC1, FC2, FC3.

Comment 4 Marc Deslauriers 2006-04-26 20:10:11 EDT
The phpinfo() PHP function did not properly sanitize long strings. An
attacker could use this to perform cross-site scripting attacks against
sites that have publicly-available PHP scripts that call phpinfo().

The html_entity_decode() PHP function was found to not be binary safe. An
attacker could use this flaw to disclose a certain part of the memory. In
order for this issue to be exploitable the target site would need to have a
PHP script which called the "html_entity_decode()" function with untrusted
input from the user and displayed the result. (CVE-2006-1490)

The error handling output was found to not properly escape HTML output in
certain cases. An attacker could use this flaw to perform cross-site
scripting attacks against sites where both display_errors and html_errors
are enabled. (CVE-2006-0208)

An input validation error was found in the "mb_send_mail()" function. An
attacker could use this flaw to inject arbitrary headers in a mail sent via
a script calling the "mb_send_mail()" function where the "To" parameter can
be controlled by the attacker. (CVE-2005-3883)

A buffer overflow flaw was discovered in uw-imap, the University of
Washington's IMAP Server. php-imap is compiled against the static c-client
libraries from imap and therefore needed to be recompiled against the fixed
version. This issue only affected Red Hat Enterprise Linux 3.

Comment 5 Marc Deslauriers 2006-04-26 20:21:24 EDT
John, is the bug you reported a security issue? Is there a CVE number for it?
Comment 6 John Dalbec 2006-04-27 08:40:48 EDT
I don't know of any CVE numbers.  I was able to modify the e-mail message in the
above link to cause code execution at 0xdeadbeef, so I think it's at least
potentially a security issue.
Comment 7 Marc Deslauriers 2006-04-30 19:09:16 EDT
Hash: SHA1

Here are updated packages to QA.

ab70ee5354cb74eada34ae7ac47de58d1c86b7e8  7.3/php-4.1.2-7.3.19.legacy.src.rpm
f1d8a4ac3abd883e9d08f0ab2192b697df331788  9/php-4.2.2-17.20.legacy.src.rpm
71c935bd4983b07cb15fadc21d81323664e014e0  1/php-4.3.11-1.fc1.5.legacy.src.rpm
2d1b0533ea030ddd8b86ce2700720bc8ef25f547  2/php-4.3.11-1.fc2.6.legacy.src.rpm
2e40f983d095a4bb496abd8d5e03a5683ed3be93  3/php-4.3.11-2.8.2.legacy.src.rpm



Version: GnuPG v1.4.3 (GNU/Linux)

Comment 8 Pekka Savola 2006-05-02 15:28:21 EDT
RHEL21 update hasn't apparently been released yet, I hope there won't be patch
Comment 9 Marc Deslauriers 2006-05-02 16:54:47 EDT
There will be, as I backported the patches to rh9 and rh73 myself. I wonder when
the update will come out for rhel21...
Comment 10 Pekka Savola 2006-05-05 02:19:30 EDT
FC1 through FC3 are OK, but I get a headache from looking at RHL73 and RHL9
patches, especially the xml2rpc_errors handling.. if someone wants to look at
those, feel free.. otherwise I'll probably wait a few more days if RHEL21
updates would make it easier.
Comment 11 Pekka Savola 2006-05-29 01:52:24 EDT
A couple of comments,

1) RHEL21 also patched CVE-2006-1990 which probably affects us too.  Not sure
whether it affects other versions.

2) php-4.1.2-php_imap.c.patch seems to be a bit different than
php-4.1.2-bug24150.patch and php-4.3.2-bug24150.patch that RHEL shipped.   Are
these fixing the same bug?  This might be applicable to RHL9 as well.  It might
be best to use RHEL patches if feasible.

3) the patches for 2006-0996 seem OK compared to RHEL, there are a couple of
minor diffs wrt TSRMLS_CC etc. those are probably OK.

4) the approach for 2006-0208 was different, and RHEL21 seemed a bit simpler (at
least to verify :-).  If the RPMs would need to be redone, I'd recommend that

Name 	CVE-2006-1990 (under review)
Status 	Candidate
Description 	Integer overflow in the wordwrap function in string.c in PHP 4.4.2
and 5.1.2 might allow context-dependent attackers to execute arbitrary code via
certain long arguments that cause a small buffer to be allocated, which triggers
a heap-based buffer overflow in a memcpy function call, a different
vulnerability than CVE-2002-1396.

    * MISC:http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
    * REDHAT:RHSA-2006:0501
    * URL:http://www.redhat.com/support/errata/RHSA-2006-0501.html
Comment 13 David Eisenstein 2006-05-31 16:23:34 EDT
Hey Josh,

According to John Dalbec in Comment #6 of this bug, he was able to cajole php
into executing code at 0xdeadbeef, for some bugs that are probably related to
the php bugs that were fixed in announcement RHSA-2006-0501.  The Bugs that John
specifically pointed out have the effect of causing imap_fetch_overview() to
segfault when a mailbox contains a From: or To: header with an overlong email
address.  (See Comment #0).

John has just indicated that the patch, php-4.1.2-bug24150.patch, included in
one of the RHEL updates, fixed only 3 out of 4 of the bugs he noticed (See
comment #12).

I haven't myself had a chance to dig into the code, but I thought you might wish
to know this.  Do you think there indeed is an (additional) code-execution
vulnerability here?  Also, did the patched php packages released with
RHSA-2006-0501 fix all of the vulnerabilities that need fixing in php?  Does a
new CVE number need to be allocated or anything?

Thanks.   -David
Comment 14 Josh Bressers 2006-05-31 22:15:04 EDT
Hi David,

Thanks for the heads up on this.

These issues never seem to have gotten CVE ids.  We'll have to sort all this out
(which versions fixed which bugs, which bugs are really dupes, etc.)  It does
seem that upstream bug 15595 isn't fixed in RHEL2.1.  I'm going to have a better
look tomorrow when I'm more attentive.
Comment 15 Josh Bressers 2006-06-14 08:36:54 EDT
This comment is from my mail archive.  Due to the bugzilla crash some data was lost:

------- Additional Comments From deisenst@gtw.net  2006-06-10 17:12 EST -------

Anything new on the RHEL 2.1 front?


Looks like we need to issue new packages here, perhaps based on the RHEL
packages with the patch http://bugs.php.net/bug.php?id=15595 added in.  Do you
want me to do it, Marc?  Jeff?  Are there any other outstanding issues? -Dave
Comment 16 Josh Bressers 2006-06-14 08:40:14 EDT
------- Additional Comments From jorton@redhat.com  2006-06-12 09:51 EST -------
Sorry for the slow response David.

Yes, I can reproduce a segfault with the test case for the upstream PR 15595
issue on the RHEL2.1 php.  Thanks for bringing this to our attention.   This
will need a CVE name (the issue is from 2002!).
Comment 17 Josh Bressers 2006-06-14 08:41:05 EDT
------- Additional Comments From jorton@redhat.com  2006-06-12 10:33 EST -------

This patch is incremental to php-4.1.2-bug24150.patch and should fix the 15595
issue (tested to do so, and testing in no other way).

Joe, we lost this patch, can you re-add it?
Comment 18 Joe Orton 2006-06-14 08:52:38 EDT
Created attachment 130838 [details]
the patch
Comment 19 Marc Deslauriers 2006-06-14 20:25:12 EDT
Thanks, I'll build new packages.
Comment 21 Marc Deslauriers 2006-06-24 17:33:46 EDT
Hash: SHA1

Here are updated packages to QA.

76199403c774945630d04838fa53e46891dd95d0  7.3/php-4.1.2-7.3.20.legacy.src.rpm
d60f6afef3b9ff5f815e34d8a65162ce81141dc0  9/php-4.2.2-17.21.legacy.src.rpm
826b9f6353176f31561ae3410ca1357940478b15  1/php-4.3.11-1.fc1.6.legacy.src.rpm
5c81b01a9d51c864691cee6b36c1dab0fd69e831  2/php-4.3.11-1.fc2.7.legacy.src.rpm
4ce0c7fdfa9a7e9032bcdd2e1160da6a24d18ccb  3/php-4.3.11-2.8.3.legacy.src.rpm



Version: GnuPG v1.4.3 (GNU/Linux)

Comment 22 Pekka Savola 2006-06-30 02:13:01 EDT
Hash: SHA1
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - 1990 patch verified from RHEL and upstream, 0208 looks good.
The 15595 issue (mentioned in comments !6, #17, #18 etc.) isn't fixed
AFAICT, but we could get around to that later as well..
76199403c774945630d04838fa53e46891dd95d0  php-4.1.2-7.3.20.legacy.src.rpm
d60f6afef3b9ff5f815e34d8a65162ce81141dc0  php-4.2.2-17.21.legacy.src.rpm
826b9f6353176f31561ae3410ca1357940478b15  php-4.3.11-1.fc1.6.legacy.src.rpm
5c81b01a9d51c864691cee6b36c1dab0fd69e831  php-4.3.11-1.fc2.7.legacy.src.rpm
4ce0c7fdfa9a7e9032bcdd2e1160da6a24d18ccb  php-4.3.11-2.8.3.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)

Comment 23 David Eisenstein 2006-06-30 04:29:44 EDT
Thanks a bunch, Pekka!  :)
Comment 24 Marc Deslauriers 2006-06-30 09:49:34 EDT
Thanks for the QA Pekka.

The 15595 issue is already fixed. It's been in the php-4.1.2-php_imap.c.patch
since comment #7.
Comment 25 Marc Deslauriers 2006-07-05 22:17:56 EDT
Packages have been pushed to updates-testing
Comment 26 Tres Seaver 2006-07-05 23:32:09 EDT
Hash: SHA1

Packages tested:

  $ md5sum php-*4.3.11*.rpm
  1398b2fb9eeaf1b1d95e8be6bd3d9289  php-4.3.11-1.fc1.6.legacy.i386.rpm
  5f7111046ee2499bd8a0dcb144de699c  php-devel-4.3.11-1.fc1.6.legacy.i386.rpm
  64ced4ddcd1e97776e16eaf1e02f18bc  php-domxml-4.3.11-1.fc1.6.legacy.i386.rpm
  a83e96cadf0b3201c7cb77eb70976c10  php-imap-4.3.11-1.fc1.6.legacy.i386.rpm
  61238eaac5d4fcc86596bb407c2d0503  php-ldap-4.3.11-1.fc1.6.legacy.i386.rpm
  d3517c12338f04f5c1761f8884ebb477  php-mbstring-4.3.11-1.fc1.6.legacy.i386.rpm
  8b9d7d83626c851aed1902fe123dc3f3  php-mysql-4.3.11-1.fc1.6.legacy.i386.rpm
  4219a4c0f7259905bb12b1d507d54829  php-odbc-4.3.11-1.fc1.6.legacy.i386.rpm
  524ae0ee3476e5baf2e8bfbc7afabe92  php-pgsql-4.3.11-1.fc1.6.legacy.i386.rpm
  097e8af1285d8a602105e12c48af75dc  php-snmp-4.3.11-1.fc1.6.legacy.i386.rpm
  1c43a97bc1682ba3a1aba28edc68c673  php-xmlrpc-4.3.11-1.fc1.6.legacy.i386.rpm

SHA1 checksums and GPG signatures verified:

  $ rpm -K php-*4.3.11*.rpm
  php-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-devel-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-domxml-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-imap-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-ldap-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-mbstring-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-mysql-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-odbc-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-pgsql-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-snmp-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  php-xmlrpc-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK

Packages installed cleanly:

  $ rpm -Fvh php-*4.3.11*.rpm

Tested PHP application (SquirrelMail) after installation;  ran successfully.

Version: GnuPG v1.4.2.2 (GNU/Linux)

Comment 27 Pekka Savola 2006-07-06 04:18:49 EDT
Hash: SHA1
QA for RHL73.  Signature OK, upgrades OK.  Basic PHP web pages and HORDE/IMP
(using mysql and ldap plugins) continue to work OK.
Version: GnuPG v1.0.7 (GNU/Linux)

Two verifies, timeout one week.
Comment 28 Tom Yates 2006-07-10 10:01:48 EDT
Hash: SHA1

1cd4a11bf52c1b18dce2937a7f15789b059c1967 php-4.2.2-17.21.legacy.i386.rpm
714057b386abaa03573d14c8757ef97858ba2b17 php-mysql-4.2.2-17.21.legacy.i386.rpm

installs fine.  squirrelmail (using imap, although not apparently
php-imap) works fine.


Version: GnuPG v1.4.4 (GNU/Linux)

Comment 29 Marc Deslauriers 2006-07-27 22:37:42 EDT
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.