Bug 452808 - (CVE-2008-2829) CVE-2008-2829 php: ext/imap legacy routine buffer overflow
CVE-2008-2829 php: ext/imap legacy routine buffer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-06-25 04:04 EDT by Tomas Hoger
Modified: 2009-05-31 07:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-31 07:22:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-06-25 04:04:59 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2829 to the following vulnerability:

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.

Comment 1 Joe Orton 2008-07-24 06:40:46 EDT
The situation seems to be this:

The "legacy" function rfc822_write_address in the uw-imap c-client library is
used by the PHP "imap" extension to format lists of addresses.  The function
will be used in the simple path of reading and parsing the contents of a mailbox
from an IMAP server.  This becomes relevant to security because the lists of
addresses in question are the To, From, Cc, etc headers; under the control of
the people sending you mail.

This function historically did not take account of buffer overflow, nor does the
API provide an opportunity to avoid or detect buffer overflow.  So, the PHP imap
extension was changed to:

1) calculate the buffer size that would be needed by rfc822_write_address, and
2) either allocate a buffer large enough, or fail/ignore the address if
exceeding a fixed-size stack buffer limit

There have PHP errata over the years introducing/correcting these changes in
RHEL, see e.g. bug 174999.

At some point, uw-imap libc-client was changed so that the
rfc822_write_address() would now abort() if an arbitrary fixed size limit is
passed - 16K characters.  When this occurs with PHP, no buffer overflow would
(should!) have occurred in the case that abort() is called, because PHP takes
care to avoid that as explained above.  But it presents an effective DoS; people
who send you carefully crafted e-mails can deny you access to your webmail,
reduce Apache performance by terminating processes prematurely, etc.

The issue here doesn't affect RHEL[23] because we don't ship the newer versions
of c-client which arbitrarily call abort().  Fedora does ship the newer
versions, however.
Comment 2 Joe Orton 2008-07-24 06:41:51 EDT
The issue here doesn't affect RHEL[2345], that comment should have read, sorry.
Comment 3 Tomas Hoger 2008-12-05 11:02:54 EST
This issue was addressed upstream in 5.2.7:
Comment 4 Fedora Update System 2009-05-29 22:33:54 EDT
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-05-29 22:37:58 EDT
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.