[Bug 217287] New: imap-2004g_suse-28: use of dangerous "gets" function
https://bugzilla.novell.com/show_bug.cgi?id=217287 Summary: imap-2004g_suse-28: use of dangerous "gets" function Product: openSUSE 10.2 Version: Beta 1 plus Platform: All OS/Version: SuSE Linux 10.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: dcb314@hotmail.com QAContact: qa@suse.de I just tried to compile package imap-2004g_suse-28 with the GNU C compiler. It said mtest.o: In function `gets': /usr/include/bits/stdio2.h:83: warning: the `gets' function is dangerous and should not be used. The source code is /* Prompt user for input * Accepts: pointer to prompt message * pointer to input buffer */ void prompt (char *msg,char *txt) { printf ("%s",msg); gets (txt); } I agree with the compiler. Suggest replace all uses of gets in the package with fgets. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 judas_iscariote@shorewall.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |judas_iscariote@shorewall.net, security- | |team@suse.de ------- Comment #1 from judas_iscariote@shorewall.net 2006-11-02 02:35 MST ------- this can be,actually, a buffer overflow. :( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #2 from thomas@novell.com 2006-11-02 03:21 MST ------- It is only a security problem if this code can be triggered over the network or if this code is part of a setuid/setgid application. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |seife@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 seife@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chuller@novell.com, behlert@novell.com AssignedTo|seife@novell.com |aj@novell.com ------- Comment #3 from seife@novell.com 2006-11-03 12:26 MST ------- the package is dropped and will hopefully not appear in beta2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #4 from judas_iscariote@shorewall.net 2006-11-03 13:04 MST ------- Stefan : huh ? what is the replacement.. ? if no replacecemetn, we have a problem, PHP without IMAP support and gazillions of users complaining... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 seife@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |seife@novell.com AssignedTo|aj@novell.com |hvogel@novell.com ------- Comment #5 from seife@novell.com 2006-11-06 02:05 MST ------- package got reassigned until the droprequest is through. BTW: there are lots of well-coded imap servers, if anybody wants that unspeakable uw-imap code, he can maintain it in the buildservice. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #6 from judas_iscariote@shorewall.net 2006-11-06 02:10 MST ------- (In reply to comment #5)
package got reassigned until the droprequest is through.
BTW: there are lots of well-coded imap servers, if anybody wants that unspeakable uw-imap code, he can maintain it in the buildservice.
I agree with that, but unfortunately, some packages depends on and if dropped SUSE will be very likely unsuitable to be used as webmail server, the PHP imap module is probably one of the most popular and is used in mostly all webmails out there ( except squirelmail ) I agree that the uw-imap stuff is awful though , but PHP will not change the library at anytime soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #7 from judas_iscariote@shorewall.net 2006-11-06 02:15 MST ------- Stefan : I'll talk PHP developers on this matter anyway to see if they can provide an alternative way in the future, extremely unlikely to happend, but I'll try. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #8 from judas_iscariote@shorewall.net 2006-11-06 02:26 MST ------- my mistake sorry, PHP only requires imap-lib-2004g_suse-14 and not imap-2004g_suse-28. I was confused. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #9 from seife@novell.com 2006-11-06 02:29 MST ------- well, imap-lib is a fallout of the imap package unfortunately. I heard somebody will take care of it, but fortunately not me :-) And yes, moving away everything from uw-imap is the best idea. No wonder PHP is in the security tickers every week if everybody is using this stuff :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #10 from judas_iscariote@shorewall.net 2006-11-06 02:37 MST ------- (In reply to comment #9)
well, imap-lib is a fallout of the imap package unfortunately. I heard somebody will take care of it, but fortunately not me :-)
Ok, in this case, only imap-lib is needed Im fine if the awful imap server is dropped, I use dovecot since ages and people is being told to use it too ;)
And yes, moving away everything from uw-imap is the best idea. No wonder PHP is in the security tickers every week if everybody is using this stuff :-)
The problem is that may be hard to convince developers to change something that is working reasonable fine. Addiontaly JFYI: We have been working in a security enhaced version and configurations for PHP that are/will be in 10.2. I have expended signicant amount of time on this, and Im pretty confident that will work fine ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #11 from meissner@novell.com 2006-11-06 02:43 MST ------- the libcclient (or however it is called) shuld likely stay for php or so, yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 ------- Comment #12 from judas_iscariote@shorewall.net 2006-11-08 20:26 MST ------- In anyway you decide to do this, UW as released their "bi-year" update ;-) ftp://ftp.cac.washington.edu/mail/imap-2006c1.tar.Z I guess if the package will still be included, it must be updated right ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 hvogel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|hvogel@novell.com |mskibbe@novell.com ------- Comment #13 from hvogel@novell.com 2006-11-10 04:37 MST ------- re-assing to new maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 mskibbe@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #14 from mskibbe@novell.com 2006-11-13 05:51 MST ------- the new version do not use gets. i update asap. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 tpatzig@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|tpatzig@novell.com | ------- Comment #16 from tpatzig@novell.com 2006-11-16 02:12 MST ------- i've tested the package and averything seems to work fine -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 mskibbe@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #17 from mskibbe@novell.com 2006-11-16 03:12 MST ------- ok i checked it into stable -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 lrupp@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Comment #18 from lrupp@novell.com 2006-12-07 12:32 MST ------- What about fixes for the older distributions? (see comment #1) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=217287 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Comment #20 from meissner@novell.com 2006-12-09 16:03 MST ------- This is in the "mtest" binary only. this can be called by the local user to test the cclient library and it accepts his user input. So he can only exploit himself with this testprogram. There is no need to fix it in old products in my opinion due to this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com