#42862 [Asn]: [PATCH] IMAP toolkit crash: rfc822.c legacy routine buffer overflow

Mon, 13 Oct 2008 17:38:23 -0700 

 ID:               42862
 Updated by:       [EMAIL PROTECTED]
 Reported By:      Maylein at ub dot uni-heidelberg dot de
 Status:           Assigned
 Bug Type:         IMAP related
 Operating System: *
 PHP Version:      5.2.6
 Assigned To:      pajoye
 New Comment:

Looking at the current code, it looks like there's no actual overflow,
but rfc822_write_address is limited so the abort happens. I am not
seeing code path that would lead to rfc822_write_address writing more
data than buffer size, unless I misunderstand how _php_imap_address_size
works. 
Is this impression correct? If so, we still need to fix it since
abort() is a nasty things, but it doesn't seem to be a security issue. 


Previous Comments:
------------------------------------------------------------------------

[2008-07-21 21:48:00] [EMAIL PROTECTED]

I will give it some love while working on the imap lib.

------------------------------------------------------------------------

[2008-07-08 18:27:11] david at blue-labs dot org

please fix 008_imap-bufferoverflows.patch to include the typedef for
RFC822BUFFER.

/* Output buffering for RFC [2]822 */

typedef long (*soutr_t) (void *stream,char *string);

typedef struct rfc822buffer {
  soutr_t f;                    /* I/O flush routine */
  void *s;                      /* stream for I/O routine */
  char *beg;                    /* start of buffer */
  char *cur;                    /* current buffer pointer */
  char *end;                    /* end of buffer */
} RFC822BUFFER;

------------------------------------------------------------------------

[2008-06-24 10:54:50] hoffie at gentoo dot org

This is CVE-2008-2829.

------------------------------------------------------------------------

[2008-06-18 17:43:50] hoffie at gentoo dot org

Over 7 months and two releases have passed, yet no developer even
commented on this *security* issue (according to the c-client devs). So
what's up with this, are there any problems with the patch? If yes,
would you mind pointing them out, so that one can try to fix them?

------------------------------------------------------------------------

[2008-05-27 13:06:39] falon at csi dot it

I use Horde Groupware Webmail Edition 1.0.6 with Apache/1.3.41 (Unix)
PHP/5.2.5 mod_ssl/2.8.31 OpenSSL/0.9.8g.

I had the same bug.

I tried sborril patch: it fix the problem also in my environment. I
appreciate if could be added to next release of php.

Regards

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/42862

-- 
Edit this bug report at http://bugs.php.net/?id=42862&edit=1

Reply via email to