php5-cgi: IMAP toolkit crash

Jamie, mind having a look at this?

The problem still exists with latest ubuntu php upgrade

root@posta1:~# grep php /var/log/syslog | grep crash
Nov 27 19:42:35 posta1 php5-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow
Nov 27 19:44:11 posta1 php5-cgi: IMAP toolkit crash: rfc822.c legacy routine buffer overflow
root@posta1:~# php-cgi -v
PHP 5.2.4-2ubuntu5.9 with Suhosin-Patch 0.9.6.2 (cgi-fcgi) (built: Nov 26 2009 13:52:47)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
    with Suhosin v0.9.22, Copyright (c) 2007, by SektionEins GmbH

no one looking at this bug? :-(

In Ubuntu, the php imap plugin is in a separate php-imap source package.

Although USN-628-1 says CVE-2008-2829 was fixed, it was a mistake. The actual binary isn't built from the php5 source package.

CVE-2008-2829 needs to be fixed in the php-imap source package that's in universe.

This bug was fixed in the package php-imap - 5.2.6-0ubuntu7

---------------
php-imap (5.2.6-0ubuntu7) lucid; urgency=low

  * Add quilt support.
  * SECURITY UPDATE: unsafe usage of deprecated imap functions (LP: #485973)
    - add debian/patches/CVE-2008-2829.diff, patch taken from Debian
    - CVE-2008-2829
  * Bump Standards-Version to 3.8.3.
 -- Devid Antonio Filoni <email address hidden> Wed, 06 Jan 2010 17:40:37 +0100

Debdiff for karmic-security.

debdiff for jaunty-proposed.

debdiff for intrepid-security.

debdiff for hardy-security.

debdiff for dapper-security.

Thanks for the debdiffs Devid.

The hardy debdiff is wrong and doesn't compile. Please submit a corrected one. Also, please describe the testing you've performed on these debdiffs.

I have unsubscribed ubuntu-security-sponsors from this bug. Once you've completed the new hardy debdiff and have described the testing, please subscribe ubuntu-security-sponsors again and set the status to "NEW".

Thanks!

The dapper debdiff also fails to build. Please re-submit a fixed dapper debdiff also.

I've tested the new package built by d.filoni on karmic on the same environment i used to check the existence of the bug in 9.10. Now, if i try to download the mbox file from horde i get it downloaded without problems and errors on the php error log. So, as far as i can see the bug is fixed.

Hardy debdiff

Based on my research the patch is incorrect. Lucid has the incorrect patch in it and needs to be updated. You should be using http://svn.php.net/viewvc?view=revision&revision=267399. If this is in error, please resubmit the patches with the correct references for the origin of the patch. Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete.

Sorry Jamie, but i'm not so expert with packaging and co. but, as far as i can see, a package for Karmic built with the patch created by d.filoni solves my problem and php does crashes no more. The bug IS fixed on php and, as far as i can read on the USN, IS ALSO fixed on ubuntu's php sources...

Luca, you are correct about the USN. The patch in the USN came from Debian but the code in Ubuntu is not built since php-imap is broken out (and therefore, unfortunately, not tested). Looking at the patch, a lot of the differences can be attributed to changing the memory allocation for 'string' from static to dynamic, but there are other changes that are not as clear.

Marc pointed out to me that the patch is from http://patch-tracker.debian.org/patch/series/view/php5/5.2.6.dfsg.1-1+lenny4/CVE-2008-2829.patch. It looks like all of Devid's patches for hardy and later match this patch. I checked the Debian BTS and couldn't find any regressions from applying this patch.

Sorry for the confusion, though this could have been avoided if the debdiffs followed DEP-3 and gave links to the upstream bug and commits.

ACK for hardy - karmic

This bug was fixed in the package php-imap - 5.2.6-0ubuntu6.1

---------------
php-imap (5.2.6-0ubuntu6.1) karmic-security; urgency=low

  * SECURITY UPDATE: unsafe usage of deprecated imap functions (LP: #485973)
    - php_imap.c: apply patch taken from Debian
    - CVE-2008-2829
 -- Devid Antonio Filoni <email address hidden> Wed, 06 Jan 2010 18:58:48 +0100

This bug was fixed in the package php-imap - 5.2.6-0ubuntu5.1

---------------
php-imap (5.2.6-0ubuntu5.1) jaunty-security; urgency=low

  * SECURITY UPDATE: unsafe usage of deprecated imap functions (LP: #485973)
    - php_imap.c: apply patch taken from Debian
    - CVE-2008-2829
 -- Devid Antonio Filoni <email address hidden> Wed, 06 Jan 2010 18:58:48 +0100

This bug was fixed in the package php-imap - 5.2.6-0ubuntu3.1

---------------
php-imap (5.2.6-0ubuntu3.1) intrepid-security; urgency=low

  * SECURITY UPDATE: unsafe usage of deprecated imap functions (LP: #485973)
    - php_imap.c: apply patch taken from Debian
    - CVE-2008-2829
 -- Devid Antonio Filoni <email address hidden> Wed, 06 Jan 2010 18:58:48 +0100

This bug was fixed in the package php-imap - 5.2.3-0ubuntu3.1

---------------
php-imap (5.2.3-0ubuntu3.1) hardy-security; urgency=low

  * SECURITY UPDATE: unsafe usage of deprecated imap functions (LP: #485973)
    - php_imap.c: apply patch taken from Debian
    - CVE-2008-2829
 -- Devid Antonio Filoni <email address hidden> Wed, 06 Jan 2010 18:58:48 +0100

Per Marc's comment on 2010-01-12, the Dapper debdiff needs to be fixed still. Adding 'patch-needswork' tag and leaving Dapper task as Incomplete.

I don't have time to work on dapper debdiff...