ID: 42862 Comment by: hoffie at gentoo dot org Reported By: Maylein at ub dot uni-heidelberg dot de Status: Assigned Bug Type: IMAP related Operating System: Linux 2.6.22 PHP Version: 5.2.4 Assigned To: iliaa New Comment:
Over 7 months and two releases have passed, yet no developer even commented on this *security* issue (according to the c-client devs). So what's up with this, are there any problems with the patch? If yes, would you mind pointing them out, so that one can try to fix them? Previous Comments: ------------------------------------------------------------------------ [2008-05-27 13:06:39] falon at csi dot it I use Horde Groupware Webmail Edition 1.0.6 with Apache/1.3.41 (Unix) PHP/5.2.5 mod_ssl/2.8.31 OpenSSL/0.9.8g. I had the same bug. I tried sborril patch: it fix the problem also in my environment. I appreciate if could be added to next release of php. Regards ------------------------------------------------------------------------ [2008-04-03 21:55:29] pubear at u dot washington dot edu I am using imap c-client 2007a with php-5.2.5. I am working with an extensively modified version of: http://migrationtool.sourceforge.net I ran into this issue migrating people's mailboxes in Exchange Server. I wanted to confirm that the patch submitted by sborrill at precedence dot co dot uk appears to have fixed the buffer overflow bug. Thank you very much. ------------------------------------------------------------------------ [2008-03-04 16:57:55] sborrill at precedence dot co dot uk php_imap.c uses rfc822_write_address() which, with imap-uw sources since 2005, limits the complete returned address list to 16383 bytes in length irrespective of the size of the buffer you pass into it (you don't pass the length, so it can't know the actual size). This means that if you have a large address lists in your To: or Cc: headers, that would expand to more than 16383 characters, PHP will core-dump with SIGABRT. This affects PHP HEAD too. rfc822_write_address is deprecated: * WARNING: These routines are for compatibility with old software only. * * Their use in new software is to be avoided. * * These interfaces do not provide satisfactory buffer checking. In * versions of c-client prior to imap-2005, they did not provide any * buffer checking at all. The fix is to use rfc822_output_address_list(). Patch below (against 5.2.5): --- php_imap.c.orig 2007-07-31 01:31:10.000000000 +0100 +++ php_imap.c 2008-03-04 17:48:30.000000000 +0000 @@ -70,6 +70,7 @@ static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); static int _php_imap_address_size(ADDRESS *addresslist); +static void _php_rfc822_write_address_len (char *dest, ADDRESS *adr, int len); /* the gets we use */ static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); @@ -2137,7 +2138,7 @@ } string[0]='\0'; - rfc822_write_address(string, addr); + _php_rfc822_write_address_len(string, addr, sizeof(string)); RETVAL_STRING(string, 1); } /* }}} */ @@ -2906,13 +2907,13 @@ if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { env->from->next=NULL; address[0] = '\0'; - rfc822_write_address(address, env->from); + _php_rfc822_write_address_len(address, env->from, sizeof(address)); add_property_string(myoverview, "from", address, 1); } if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { env->to->next = NULL; address[0] = '\0'; - rfc822_write_address(address, env->to); + _php_rfc822_write_address_len(address, env->to, sizeof(address)); add_property_string(myoverview, "to", address, 1); } if (env->date) { @@ -3883,6 +3884,34 @@ /* }}} */ +/* {{{ _php_rfc822_soutr + */ +static long _php_rfc822_soutr (void *stream,char *string) +{ + return NIL; +} + +/* }}} */ + + +/* {{{ _php_rfc822_write_address_len + */ +static void _php_rfc822_write_address_len ( char *dest, ADDRESS *adr, int len) +{ + RFC822BUFFER buf; + + buf.beg = dest; + buf.cur = buf.beg; + buf.end = buf.beg + len - 1; + buf.s = NIL; + buf.f = _php_rfc822_soutr; + rfc822_output_address_list (&buf, adr, 0, NIL); + *buf.cur = '\0'; +} + +/* }}} */ + + /* {{{ _php_imap_parse_address */ static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) @@ -3897,7 +3926,7 @@ if ((len = _php_imap_address_size(addresstmp))) { tmpstr = (char *) pemalloc(len + 1, 1); tmpstr[0] = '\0'; - rfc822_write_address(tmpstr, addresstmp); + _php_rfc822_write_address_len(tmpstr, addresstmp, len); *fulladdress = tmpstr; } else { *fulladdress = NULL; ------------------------------------------------------------------------ [2007-10-30 17:15:29] [EMAIL PROTECTED] Reclassified. (This is the correct place for this, it's imap related) ------------------------------------------------------------------------ [2007-10-22 11:44:14] Maylein at ub dot uni-heidelberg dot de No one seems to care about a bug report in the category 'imap related', so I put it now in the category 'reproducible crash'. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42862 -- Edit this bug report at http://bugs.php.net/?id=42862&edit=1
