Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252567 (CVE-2008-5514) - net-libs/c-client <2007e: Denial of Service (CVE-2008-5514)
Summary: net-libs/c-client <2007e: Denial of Service (CVE-2008-5514)
Alias: CVE-2008-5514
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 [glsa]
Depends on:
Blocks: 255121
  Show dependency tree
Reported: 2008-12-26 08:46 UTC by Matti Bickel (RETIRED)
Modified: 2009-11-25 16:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2008-12-26 08:46:52 UTC
From redhat:

"Ludwig Nussel reported a flaw in libc-client / uw-imap:

The rfc822_output_char() function in the uw-imap c-client library does not
check whether the buffer is already full and may therefore write one byte too
much. This leads to a segfault in rfc822_output_data() later due to memcpy with
size -1.

Issue was fixed in imap-2007e:
  Updated: 16 December 2008

  imap-2007e is a maintenance release, consisting primarily of bugfixes to
  problems discovered in the release that affected a small number of users
  plus a security fix for users of the RFC822BUFFER routines."
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2008-12-26 08:49:07 UTC
gunnar, can you please provide an updated ebuild?
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 19:59:43 UTC
net-libs/c-client-2007e is in the tree.


  alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 3 Brent Baude (RETIRED) gentoo-dev 2008-12-29 13:58:31 UTC
ppc64 done
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-29 18:23:13 UTC
ppc stable
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-29 21:03:16 UTC
amd64 stable
Comment 6 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-30 20:39:34 UTC
sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-01-03 02:28:41 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2009-01-03 20:57:36 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-01-07 18:47:25 UTC
alpha/ia64 stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 19:07:23 UTC
time for vote. Since it can be used on servers too, i vote yes.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:17:08 UTC
YES, filed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:26:27 UTC
CVE-2009-0671 (
  Format string vulnerability in the University of Washington (UW)
  c-client library, as used by the UW IMAP toolkit imap-2007d and other
  applications, allows remote attackers to execute arbitrary code via
  format string specifiers in the initial request to the IMAP port

Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:27:09 UTC
I think it fits, so let's handle that one in the glsa, too.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-02-24 10:06:00 UTC
Craig, you can't simply add CVEs that require [ebuild] status to a [glsa] bug.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-25 18:30:36 UTC
Whoops, sorry, I thought it might be ok, because of the affected versions, but well, I failed a bit.  :/
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-03-30 16:02:37 UTC
arm/s390/sh stable
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 16:11:09 UTC
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 16:11:22 UTC
eehh.. GLSA 200911-03