Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 255121

Summary: dev-lang/php affected by net-libs/c-client <2007e: Denial of Service (CVE-2008-5514)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jamie-lists, php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 252567, 255120, 260115    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-16 01:46:06 UTC 
Since PHP statically links in c-client with USE=imap or USE=kolab, we need to force a rebuild (preferably against a clean version of c-client) onto users.

PHP herd, what do you think?

+++ This bug was initially created as a clone of Bug #252567 +++

From redhat:

"Ludwig Nussel reported a flaw in libc-client / uw-imap:

The rfc822_output_char() function in the uw-imap c-client library does not
check whether the buffer is already full and may therefore write one byte too
much. This leads to a segfault in rfc822_output_data() later due to memcpy with
size -1.

Issue was fixed in imap-2007e:
  Updated: 16 December 2008

  imap-2007e is a maintenance release, consisting primarily of bugfixes to
  problems discovered in the release that affected a small number of users
  plus a security fix for users of the RFC822BUFFER routines."
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 19:29:48 UTC 
ping
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-24 11:42:24 UTC 
ping, bug 260115 might also affect php.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-21 23:36:58 UTC 
Several security bugs have been reported since then, this means newer php versions have been stabled.
No danger for our users, but the problem itself should probably be fixed. For progress on that, see bug 255120.

Leaving open for possible inclusion in a GLSA.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:13:22 UTC 
GLSA 201001-03.

Thank you everyone, sorry about the delay.