PHP IMAP segfault
Michal Jaegermann
michal at harddata.com
Fri Dec 2 17:13:25 UTC 2005
On Fri, Dec 02, 2005 at 11:48:14AM -0500, John Dalbec wrote:
>
> I built IMAP with the mail.c patch and installed it, then I built PHP which
> should have incorporated the new libc-client. I installed IMAP and PHP on
> a test server but I didn't upgrade the production IMAP server since I don't
> think this patch affects the imapd server. Does it affect imapd?
The original report and security advisory CAN-2005-2933 were for
imapd. So, unless your IMAP server program is linking dynamically
a fixed libc-client, and it was restarted, then it sounds that it is
affected. Or maybe I misuderstood what you have in mind.
> In any case, the segfault I saw continues to occur. The stack becomes
> corrupted after rfc822_write_address(address, env->to);
It is possible that you found another bug.
> I think I can fix the problem by patching rfc822_parse_adrlist (which is
> called by mail_fetch_structure) to temporarily truncate each header to
> length MAILTMPLEN-1 before parsing.
If those headers are stored without checks in some fixed size memory
region, and headers are bigger than that, then bad things will
happen. Backtraces you posted suggest that stack was indeed corrupted.
In such case this is a security issue.
Michal
More information about the fedora-legacy-list
mailing list