php has known bugs against an old c-client library. there is the net-libs/c-client-2006k already in portage. Is it possible to add patch from http://bugs.php.net/bug.php?id=42862 and others ? Reproducible: Always Steps to Reproduce: 1. see http://bugs.php.net/bug.php?id=42862 2. 3. Actual Results: May 13 19:28:17 w19 php-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow May 13 19:28:18 w19 php-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow May 13 19:28:18 w19 php-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow May 13 19:28:19 w19 php-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow May 13 19:28:20 w19 php-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow Expected Results: works well
Reassigning to security. We are going to patch it, I guess we need to review the mentioned patch again. It's local DoS / code execution "only", so I'm not sure whether we should push -r2 just now or simply wait on the next bunch of sec fixes. Security? Will take care of it tomorrow.
Deniss, what other issues / patches are you referring to (besides the linked bug report)?
Also sometimes I get following error, but cant figure out the reason nor google patch so far May 13 22:57:16 w19 php-cgi: IMAP toolkit crash: Unable to look up user name May 13 23:58:51 w19 php-cgi: IMAP toolkit crash: Unable to look up user name May 13 23:58:51 w19 php-cgi: IMAP toolkit crash: Unable to look up user name May 14 01:42:59 w19 php-cgi: IMAP toolkit crash: Unable to look up user name May 14 01:43:16 w19 php-cgi: IMAP toolkit crash: Unable to look up user name
Please open a seperate bug for that and also file an upstream [1] bug. Does PHP really crash (as the message says) or is it simply a "bug"? In the latter case it's probably not security-relevant, in the first it is. Also, this might help: http://article.gmane.org/gmane.comp.horde.user/11777 [1] http://bugs.php.net/
Had a look at the patch and talked to Pierre from upstream about it. The patch itself is fine, something similar (which does not break compatibility which very old c-client version [which we dont even ship anymore]) will probably be committed to upstream cvs in the near future. The patch will be part of php-5.2.6-r1 which is supposed to hit the tree in the next few days, depending on the status of the other security bug. I'm only refering to the initial problem. The other issues need more investigation and are unlikely to have any security impact. Please create a seperate bug report for them (also at upstream's bug tracker).
We'll handle stabilization etc. in bug 228369.
php-5.2.6-r2 with the relevant patch is in the tree. Moving this bug away from security again, we're handling the security part of this issue along with the other fixes in bug 230575.