Red Hat Bugzilla – Bug 452808
CVE-2008-2829 php: ext/imap legacy routine buffer overflow
Last modified: 2009-05-31 07:22:10 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2829 to the following vulnerability:
php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.
The situation seems to be this:
The "legacy" function rfc822_write_address in the uw-imap c-client library is
used by the PHP "imap" extension to format lists of addresses. The function
will be used in the simple path of reading and parsing the contents of a mailbox
from an IMAP server. This becomes relevant to security because the lists of
addresses in question are the To, From, Cc, etc headers; under the control of
the people sending you mail.
This function historically did not take account of buffer overflow, nor does the
API provide an opportunity to avoid or detect buffer overflow. So, the PHP imap
extension was changed to:
1) calculate the buffer size that would be needed by rfc822_write_address, and
2) either allocate a buffer large enough, or fail/ignore the address if
exceeding a fixed-size stack buffer limit
There have PHP errata over the years introducing/correcting these changes in
RHEL, see e.g. bug 174999.
At some point, uw-imap libc-client was changed so that the
rfc822_write_address() would now abort() if an arbitrary fixed size limit is
passed - 16K characters. When this occurs with PHP, no buffer overflow would
(should!) have occurred in the case that abort() is called, because PHP takes
care to avoid that as explained above. But it presents an effective DoS; people
who send you carefully crafted e-mails can deny you access to your webmail,
reduce Apache performance by terminating processes prematurely, etc.
The issue here doesn't affect RHEL because we don't ship the newer versions
of c-client which arbitrarily call abort(). Fedora does ship the newer
The issue here doesn't affect RHEL, that comment should have read, sorry.
This issue was addressed upstream in 5.2.7:
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.