ID: 42862 Updated by: [EMAIL PROTECTED] Reported By: Maylein at ub dot uni-heidelberg dot de -Status: Open +Status: Assigned Bug Type: IMAP related Operating System: Linux 2.6.22 PHP Version: 5.2.4 -Assigned To: +Assigned To: iliaa
Previous Comments: ------------------------------------------------------------------------ [2007-10-30 17:15:29] [EMAIL PROTECTED] Reclassified. (This is the correct place for this, it's imap related) ------------------------------------------------------------------------ [2007-10-22 11:44:14] Maylein at ub dot uni-heidelberg dot de No one seems to care about a bug report in the category 'imap related', so I put it now in the category 'reproducible crash'. ------------------------------------------------------------------------ [2007-10-11 08:49:53] Maylein at ub dot uni-heidelberg dot de Please tell me, if there will be a patch for the imap-extension. It's an security issue, isn't it? If you don't plan to patch the imap extension (as I understand from the answer on Bug #40925) then you subsequently need to remove this extension. ------------------------------------------------------------------------ [2007-10-11 08:20:14] Maylein at ub dot uni-heidelberg dot de See also http://archives.devshed.com/forums/networking-100/new-message-writing-routines-in-imap-2005t-1639473.html ------------------------------------------------------------------------ [2007-10-05 07:29:33] Maylein at ub dot uni-heidelberg dot de Description: ------------ I am using the uw imap c-client-library with php-5.2.4 and apache 2.0.61 for my webmailer software TWIG. Some actions causes the httpd child to crash: httpd: IMAP toolkit crash: rfc822.c legacy routine buffer overflow See also http://bugs.php.net/bug.php?id=40925&edit=1 uw imap developers say that it is definitely a php issue which you have been denying in former bug reports. So please have a second thought on this issue. Here is the response of the uw imap developers: > PHP is calling c-client legacy RFC 822 header generation routines > that write headers into a "big enough buffer". These routines were > never intended for external use. > There is no way in the old interface to know how much space is left > in the buffer. Those routines were written in 1988 when that was > "good enough". They were left unfixed because supposedly "nobody > used them". When it became clear that people were using those > routines after all, they were replaced by routines with proper > buffer checking. > The old routine names exist as compatibility interfaces into the new > routines, but the old interface itself prevents proper checking. > ... > Let's be clear; if PHP calls these old routines, it is not just a > core dump issue; it is a security bug. The abort catches some, but > NOT all of the buffer overflows. > ... > In case it wasn't clear from the previous message, there is nothing > to fix at the c-client end. That "legacy routine buffer overflow" > is effectively the same thing as getting a SEGV from strcpy(). As > the message says, it's a detected buffer overflow. But there is > nothing that c-client can do to recover. > The fix is not to call the routine that has the buffer overflow, but > that has to be in PHP. > I'm sorry that this is bad news for you, especially as the PHP > developers seem to be unable to understand the issue (and thus are > telling you to talk to me). Actual result: -------------- httpd child crashes with a buffer overflow httpd: IMAP toolkit crash: rfc822.c legacy routine buffer overflow ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42862&edit=1
