Ludwig Nussel reported a flaw in libc-client / uw-imap:
The rfc822_output_char() function in the uw-imap c-client library does not check whether the buffer is already full and may therefore write one byte too much. This leads to a segfault in rfc822_output_data() later due to memcpy with size -1.
Issue was fixed in imap-2007e:
Updated: 16 December 2008
imap-2007e is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users
plus a security fix for users of the RFC822BUFFER routines.
Created attachment 327481 [details]
imap/libc-client source code is also embedded in alpine sources. This issue was already fixed in alpine SVN:
However, it's not clear whether this flaw is really triggerable in alpine.
This issue did not affect versions of imap as shipped in Red Hat Enterprise Linux 2.1 and 3, and libc-client in Red Hat Enterprise Linux 4 and 5, as they do not include affected functions. They seem to have been introduced in imap-2005.
Additionally, according to upstream, this flaw most likely does not affect impad, but may affect other applications using c-client, such as PHP.
Rex, I see new 2007e uw-imap in Koji and no update request. Any known issues with new 2007e? Can they be submitted as updates?
updates need to happen yes. I just didn't personally have time... and asked my fedora comaintainers to issue an update (I suppose everyone is busy).
uw-imap-2007e-1.fc10 has been submitted as an update for Fedora 10.
uw-imap-2007e-1.fc9 has been submitted as an update for Fedora 9.
Testing update requests submitted.
uw-imap-2007e-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
uw-imap-2007e-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This also reportedly affects alpine
Created alpine tracking bugs for this issue
Affects: fedora-all [bug 770368]
Affects: epel-all [bug 770369]
Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is based off the dead upstream project 2.00, while we base off [re-]alpine 2.02 from http://re-alpine.sourceforge.net/
The patch was applied upstream 10 Jun 2009 by Andraž Levstik with note "updated imap to 2007e per Mark Crispin's suggestion":
I'll close NOTABUG but feel free to recommend otherwise, for example if it would make sense to mention the CVE in a changelog entry even just for bookkeeping purposes.
(In reply to comment #16)
> Looks like Fedora/EPEL alpine has this patch already. Looks like Debian is
> based off the dead upstream project 2.00, while we base off [re-]alpine 2.02
> from http://re-alpine.sourceforge.net/
EPEL is using 2.00 too, and does not seem to have fix applied.
Oh my, better fix that. I just committed a new 2.02-3 spec to el5 branch, mockbuild worked for me but build failed on koji just now so I'll work some more on this to get all the EPELs updated.
Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch" error from mock) but here's the el5 and el6:
(In reply to comment #19)
> Well, I've failed to wrangle el4 into shape (the ole "cpio: MD5 sum mismatch"
> error from mock)
Have you tried creating SRPM using rpmbuild-md5 from fedora-packager?
Thanks, rpmbuild-md5 -bs --define 'dist .el4' alpine.spec did the trick.
Here's all three, this bug and the epel child should automatically close once they get enough karma to head to stable: