Since PHP statically links in c-client with USE=imap or USE=kolab, we need to force a rebuild (preferably against a clean version of c-client) onto users.
PHP herd, what do you think?
+++ This bug was initially created as a clone of Bug #252567 +++
"Ludwig Nussel reported a flaw in libc-client / uw-imap:
The rfc822_output_char() function in the uw-imap c-client library does not
check whether the buffer is already full and may therefore write one byte too
much. This leads to a segfault in rfc822_output_data() later due to memcpy with
Issue was fixed in imap-2007e:
Updated: 16 December 2008
imap-2007e is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users
plus a security fix for users of the RFC822BUFFER routines."
ping, bug 260115 might also affect php.
Several security bugs have been reported since then, this means newer php versions have been stabled.
No danger for our users, but the problem itself should probably be fixed. For progress on that, see bug 255120.
Leaving open for possible inclusion in a GLSA.
Thank you everyone, sorry about the delay.