Bug 452808 (CVE-2008-2829) - CVE-2008-2829 php: ext/imap legacy routine buffer overflow
Summary: CVE-2008-2829 php: ext/imap legacy routine buffer overflow
Alias: CVE-2008-2829
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-25 08:04 UTC by Tomas Hoger
Modified: 2021-11-12 19:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-05-31 11:22:10 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2008-06-25 08:04:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2829 to the following vulnerability:

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.


Comment 1 Joe Orton 2008-07-24 10:40:46 UTC
The situation seems to be this:

The "legacy" function rfc822_write_address in the uw-imap c-client library is
used by the PHP "imap" extension to format lists of addresses.  The function
will be used in the simple path of reading and parsing the contents of a mailbox
from an IMAP server.  This becomes relevant to security because the lists of
addresses in question are the To, From, Cc, etc headers; under the control of
the people sending you mail.

This function historically did not take account of buffer overflow, nor does the
API provide an opportunity to avoid or detect buffer overflow.  So, the PHP imap
extension was changed to:

1) calculate the buffer size that would be needed by rfc822_write_address, and
2) either allocate a buffer large enough, or fail/ignore the address if
exceeding a fixed-size stack buffer limit

There have PHP errata over the years introducing/correcting these changes in
RHEL, see e.g. bug 174999.

At some point, uw-imap libc-client was changed so that the
rfc822_write_address() would now abort() if an arbitrary fixed size limit is
passed - 16K characters.  When this occurs with PHP, no buffer overflow would
(should!) have occurred in the case that abort() is called, because PHP takes
care to avoid that as explained above.  But it presents an effective DoS; people
who send you carefully crafted e-mails can deny you access to your webmail,
reduce Apache performance by terminating processes prematurely, etc.

The issue here doesn't affect RHEL[23] because we don't ship the newer versions
of c-client which arbitrarily call abort().  Fedora does ship the newer
versions, however.

Comment 2 Joe Orton 2008-07-24 10:41:51 UTC
The issue here doesn't affect RHEL[2345], that comment should have read, sorry.

Comment 3 Tomas Hoger 2008-12-05 16:02:54 UTC
This issue was addressed upstream in 5.2.7:

Comment 4 Fedora Update System 2009-05-30 02:33:54 UTC
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2009-05-30 02:37:58 UTC
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.