Mateusz Kocielski reported a deficiency in the way PHP IMAP extension processed provided user credentials, when opening user mailbox folder. A local attacker could use this flaw to cause a denial of service (particular php application crash) or, potentially, execute arbitrary code with the privileges of the user running the application, by providing a specially-crafted user credentials. References: [1] http://svn.php.net/viewvc?view=revision&revision=305062 [2] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/imap/php_imap.c?r1=294699&r2=305032&pathrev=305032&view=patch [3] http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:239 [4] http://www.vupen.com/english/advisories/2010/3027
This issue affects the versions of the php package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the php package, as shipped with Fedora release of 12, 13, and 14. Please fix.
Created php tracking bugs for this issue Affects: fedora-all [bug 656932]
Statement: We do not consider safe_mode / open_basedir restriction bypass issues to be security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
*** This bug has been marked as a duplicate of bug 169857 ***