Hide Forgot
Ludwig Nussel reported a flaw in libc-client / uw-imap: The rfc822_output_char() function in the uw-imap c-client library does not check whether the buffer is already full and may therefore write one byte too much. This leads to a segfault in rfc822_output_data() later due to memcpy with size -1. Issue was fixed in imap-2007e: Updated: 16 December 2008 imap-2007e is a maintenance release, consisting primarily of bugfixes to problems discovered in the release that affected a small number of users plus a security fix for users of the RFC822BUFFER routines.
Created attachment 327481 [details] Upstream patch
imap/libc-client source code is also embedded in alpine sources. This issue was already fixed in alpine SVN: https://svn.cac.washington.edu/public/alpine/snapshots/ However, it's not clear whether this flaw is really triggerable in alpine.
This issue did not affect versions of imap as shipped in Red Hat Enterprise Linux 2.1 and 3, and libc-client in Red Hat Enterprise Linux 4 and 5, as they do not include affected functions. They seem to have been introduced in imap-2005.
Additionally, according to upstream, this flaw most likely does not affect impad, but may affect other applications using c-client, such as PHP.
Rex, I see new 2007e uw-imap in Koji and no update request. Any known issues with new 2007e? Can they be submitted as updates?
updates need to happen yes. I just didn't personally have time... and asked my fedora comaintainers to issue an update (I suppose everyone is busy).
uw-imap-2007e-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/uw-imap-2007e-1.fc10
uw-imap-2007e-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/uw-imap-2007e-1.fc9
Testing update requests submitted.
uw-imap-2007e-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
uw-imap-2007e-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This also reportedly affects alpine http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653238
Created alpine tracking bugs for this issue Affects: fedora-all [bug 770368] Affects: epel-all [bug 770369]
Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is based off the dead upstream project 2.00, while we base off [re-]alpine 2.02 from http://re-alpine.sourceforge.net/ The patch was applied upstream 10 Jun 2009 by Andraž Levstik with note "updated imap to 2007e per Mark Crispin's suggestion": http://re-alpine.git.sourceforge.net/git/gitweb.cgi?p=re-alpine/re-alpine;a=commitdiff;h=3f20a0fc24537497ca1291ed04c8fb9848a19978;hp=1880d23af62bfdd11c9b43235429b81984093c99 I'll close NOTABUG but feel free to recommend otherwise, for example if it would make sense to mention the CVE in a changelog entry even just for bookkeeping purposes.
(In reply to comment #16) > Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is > based off the dead upstream project 2.00, while we base off [re-]alpine 2.02 > from http://re-alpine.sourceforge.net/ EPEL is using 2.00 too, and does not seem to have fix applied. EPEL-4: http://koji.fedoraproject.org/packages/alpine/2.00/1.el4 EPEL-5: http://koji.fedoraproject.org/packages/alpine/2.00/1.el5 EPEL-6: http://koji.fedoraproject.org/packages/alpine/2.00/9.el6
Oh my, better fix that. I just committed a new 2.02-3 spec to el5 branch, mockbuild worked for me but build failed on koji just now so I'll work some more on this to get all the EPELs updated. http://pkgs.fedoraproject.org/gitweb/?p=alpine.git;a=commitdiff;h=d18633bd1ab8cda7bf96240aa6a29ec178166b52
Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch" error from mock) but here's the el5 and el6: https://admin.fedoraproject.org/updates/alpine-2.02-3.el5 https://admin.fedoraproject.org/updates/alpine-2.02-3.el6
(In reply to comment #19) > Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch" > error from mock) Have you tried creating SRPM using rpmbuild-md5 from fedora-packager?
Thanks, rpmbuild-md5 -bs --define 'dist .el4' alpine.spec did the trick. Here's all three, this bug and the epel child should automatically close once they get enough karma to head to stable: https://admin.fedoraproject.org/updates/alpine-2.02-3.el4 https://admin.fedoraproject.org/updates/alpine-2.02-3.el5 https://admin.fedoraproject.org/updates/alpine-2.02-3.el6