Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 255121 - dev-lang/php affected by net-libs/c-client <2007e: Denial of Service (CVE-2008-5514)
Summary: dev-lang/php affected by net-libs/c-client <2007e: Denial of Service (CVE-200...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on: CVE-2008-5514 255120 CVE-2009-0671
  Show dependency tree
Reported: 2009-01-16 01:46 UTC by Robert Buchholz (RETIRED)
Modified: 2010-01-05 21:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-16 01:46:06 UTC
Since PHP statically links in c-client with USE=imap or USE=kolab, we need to force a rebuild (preferably against a clean version of c-client) onto users.

PHP herd, what do you think?

+++ This bug was initially created as a clone of Bug #252567 +++

From redhat:

"Ludwig Nussel reported a flaw in libc-client / uw-imap:

The rfc822_output_char() function in the uw-imap c-client library does not
check whether the buffer is already full and may therefore write one byte too
much. This leads to a segfault in rfc822_output_data() later due to memcpy with
size -1.

Issue was fixed in imap-2007e:
  Updated: 16 December 2008

  imap-2007e is a maintenance release, consisting primarily of bugfixes to
  problems discovered in the release that affected a small number of users
  plus a security fix for users of the RFC822BUFFER routines."
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 19:29:48 UTC
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-24 11:42:24 UTC
ping, bug 260115 might also affect php.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-21 23:36:58 UTC
Several security bugs have been reported since then, this means newer php versions have been stabled.
No danger for our users, but the problem itself should probably be fixed. For progress on that, see bug 255120.

Leaving open for possible inclusion in a GLSA.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:13:22 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.