Bug 477227 - (CVE-2008-5514) CVE-2008-5514 libc-client: buffer overflow in rfc822_output_char / rfc822_output_data
CVE-2008-5514 libc-client: buffer overflow in rfc822_output_char / rfc822_out...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,impact=moderate,repo...
: Reopened, Security
Depends On: 770368 770369
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-19 13:41 EST by Tomas Hoger
Modified: 2013-12-07 09:03 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-07 09:03:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (834 bytes, patch)
2008-12-19 13:43 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-12-19 13:41:51 EST
Ludwig Nussel reported a flaw in libc-client / uw-imap:

The rfc822_output_char() function in the uw-imap c-client library does not check whether the buffer is already full and may therefore write one byte too much. This leads to a segfault in rfc822_output_data() later due to memcpy with size -1.

Issue was fixed in imap-2007e:
  Updated: 16 December 2008

  imap-2007e is a maintenance release, consisting primarily of bugfixes to
  problems discovered in the release that affected a small number of users
  plus a security fix for users of the RFC822BUFFER routines.
Comment 1 Tomas Hoger 2008-12-19 13:43:17 EST
Created attachment 327481 [details]
Upstream patch
Comment 2 Tomas Hoger 2008-12-19 13:46:32 EST
imap/libc-client source code is also embedded in alpine sources.  This issue was already fixed in alpine SVN:
  https://svn.cac.washington.edu/public/alpine/snapshots/

However, it's not clear whether this flaw is really triggerable in alpine.
Comment 3 Tomas Hoger 2008-12-19 13:48:19 EST
This issue did not affect versions of imap as shipped in Red Hat Enterprise Linux 2.1 and 3, and libc-client in Red Hat Enterprise Linux 4 and 5, as they do not include affected functions.  They seem to have been introduced in imap-2005.
Comment 6 Tomas Hoger 2008-12-19 13:50:56 EST
Additionally, according to upstream, this flaw most likely does not affect impad, but may affect other applications using c-client, such as PHP.
Comment 7 Tomas Hoger 2009-01-07 11:04:43 EST
Rex, I see new 2007e uw-imap in Koji and no update request.  Any known issues with new 2007e?  Can they be submitted as updates?
Comment 8 Rex Dieter 2009-01-07 11:08:37 EST
updates need to happen yes.  I just didn't personally have time... and asked my fedora comaintainers to issue an update (I suppose everyone is busy).
Comment 9 Fedora Update System 2009-01-12 06:06:28 EST
uw-imap-2007e-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/uw-imap-2007e-1.fc10
Comment 10 Fedora Update System 2009-01-12 06:06:33 EST
uw-imap-2007e-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/uw-imap-2007e-1.fc9
Comment 11 Tomas Hoger 2009-01-12 06:07:42 EST
Testing update requests submitted.
Comment 12 Fedora Update System 2009-01-21 16:36:57 EST
uw-imap-2007e-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-01-21 16:39:06 EST
uw-imap-2007e-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Kurt Seifried 2011-12-26 02:47:36 EST
This also reportedly affects alpine

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653238
Comment 15 Kurt Seifried 2011-12-26 02:51:15 EST
Created alpine tracking bugs for this issue

Affects: fedora-all [bug 770368]
Affects: epel-all [bug 770369]
Comment 16 Joshua Daniel Franklin 2011-12-26 14:12:42 EST
Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is based off the dead upstream project 2.00, while we base off [re-]alpine 2.02 from http://re-alpine.sourceforge.net/ 

The patch was applied upstream 10 Jun 2009 by Andraž Levstik with note "updated imap to 2007e per Mark Crispin's suggestion":

http://re-alpine.git.sourceforge.net/git/gitweb.cgi?p=re-alpine/re-alpine;a=commitdiff;h=3f20a0fc24537497ca1291ed04c8fb9848a19978;hp=1880d23af62bfdd11c9b43235429b81984093c99

I'll close NOTABUG but feel free to recommend otherwise, for example if it would make sense to mention the CVE in a changelog entry even just for bookkeeping purposes.
Comment 17 Tomas Hoger 2011-12-28 07:36:10 EST
(In reply to comment #16)
> Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is
> based off the dead upstream project 2.00, while we base off [re-]alpine 2.02
> from http://re-alpine.sourceforge.net/ 

EPEL is using 2.00 too, and does not seem to have fix applied.

EPEL-4: http://koji.fedoraproject.org/packages/alpine/2.00/1.el4
EPEL-5: http://koji.fedoraproject.org/packages/alpine/2.00/1.el5
EPEL-6: http://koji.fedoraproject.org/packages/alpine/2.00/9.el6
Comment 18 Joshua Daniel Franklin 2011-12-28 19:05:14 EST
Oh my, better fix that. I just committed a new 2.02-3 spec to el5 branch, mockbuild worked for me but build failed on koji just now so I'll work some more on this to get all the EPELs updated.

http://pkgs.fedoraproject.org/gitweb/?p=alpine.git;a=commitdiff;h=d18633bd1ab8cda7bf96240aa6a29ec178166b52
Comment 19 Joshua Daniel Franklin 2011-12-29 01:37:28 EST
Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch" error from mock) but here's the el5 and el6:

https://admin.fedoraproject.org/updates/alpine-2.02-3.el5

https://admin.fedoraproject.org/updates/alpine-2.02-3.el6
Comment 20 Tomas Hoger 2011-12-29 02:47:35 EST
(In reply to comment #19)
> Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch"
> error from mock)

Have you tried creating SRPM using rpmbuild-md5 from fedora-packager?
Comment 21 Joshua Daniel Franklin 2011-12-29 10:46:31 EST
Thanks, rpmbuild-md5 -bs --define 'dist .el4' alpine.spec did the trick. 

Here's all three, this bug and the epel child should automatically close once they get enough karma to head to stable:

https://admin.fedoraproject.org/updates/alpine-2.02-3.el4

https://admin.fedoraproject.org/updates/alpine-2.02-3.el5

https://admin.fedoraproject.org/updates/alpine-2.02-3.el6

Note You need to log in before you can comment on or make changes to this bug.