assertion failure in message_part_finish when searching large folder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dovecot (Debian) |
Fix Released
|
Unknown
|
|||
dovecot (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Bryce Harrington |
Bug Description
[Impact]
Searching emails triggers a assertion failure if malformed emails are
present in the mail box.
[Test Case]
With an INBOX containing a malformed email, perform a server-side search, such as:
# doveadm index
# doveadm search -u ubuntu mailbox inbox body blah
or
# doveadm search -u ubuntu mailbox inbox body JPMorgan
In an affected situation, this triggers an assertion failure in message-parser.c.
In an unaffected case, these searches will return one or more hash ids of email messages.
[Where Problems Could Occur]
This patch alters code involving iteration over a C linked list in
relation to an assertion, so problems to look for would involve
assertions, crashes or memory handling issues particularly associated
with message handling functionality. Further, as this section of code
involves message processing, issues related to searching, organizizing,
or otherwise iterating through email messages may be of relevance.
Mitigating the risk is that the patch's actual change is simply to add a
pre-condition to a section of logic, meaning that any issues would
probably be limited to situations where preparsed messages are being
handled.
[Original Report]
I'm experiencing identical behaviour to Debian bug #970386 (https:/
Thanks!
Related branches
- Bryce Harrington (community): Approve
- Christian Ehrhardt (community): Needs Information
- Utkarsh Gupta: Pending requested
-
Diff: 6703 lines (+6249/-0) (has conflicts)43 files modifieddebian/changelog (+985/-0)
debian/control (+12/-0)
debian/patches/CVE-2020-109xx/0001-lib-smtp-smtp-server-cmd-vrfy-Restructure-parameter-.patch (+40/-0)
debian/patches/CVE-2020-109xx/0002-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch (+63/-0)
debian/patches/CVE-2020-109xx/0003-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch (+54/-0)
debian/patches/CVE-2020-109xx/0004-lib-smtp-smtp-syntax-Do-not-allow-NULL-return-parame.patch (+99/-0)
debian/patches/CVE-2020-109xx/0005-lib-smtp-smtp-syntax-Return-0-for-smtp_string_parse-.patch (+27/-0)
debian/patches/CVE-2020-109xx/0006-lib-smtp-Add-tests-for-smtp_string_parse-and-smtp_st.patch (+194/-0)
debian/patches/CVE-2020-109xx/0007-lib-smtp-test-smtp-server-errors-Add-tests-for-VRFY-.patch (+343/-0)
debian/patches/CVE-2020-109xx/0008-lib-smtp-smtp-server-command-Guarantee-that-non-dest.patch (+30/-0)
debian/patches/CVE-2020-109xx/0009-lib-smtp-smtp-server-command-Assign-cmd-reg-immediat.patch (+71/-0)
debian/patches/CVE-2020-109xx/0010-lib-smtp-smtp-server-command-Perform-initial-command.patch (+83/-0)
debian/patches/CVE-2020-109xx/0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch (+51/-0)
debian/patches/CVE-2020-109xx/0012-lib-smtp-test-smtp-server-errors-Add-tests-for-large.patch (+200/-0)
debian/patches/CVE-2020-109xx/0013-lib-smtp-smtp-address-Don-t-return-NULL-from-smtp_ad.patch (+64/-0)
debian/patches/CVE-2020-109xx/0014-lib-smtp-smtp-address-Don-t-recognize-an-address-wit.patch (+29/-0)
debian/patches/CVE-2020-109xx/0015-lmtp-lmtp-commands-Explicity-prohibit-empty-RCPT-pat.patch (+37/-0)
debian/patches/CVE-2020-12100/0001-lib-mail-test-message-parser-Add-another-test-for-bo.patch (+97/-0)
debian/patches/CVE-2020-12100/0001-lib-sieve-Adjust-to-message_parser_init-API-change.patch (+62/-0)
debian/patches/CVE-2020-12100/0002-lib-mail-test-message-parser-Test-that-children_coun.patch (+212/-0)
debian/patches/CVE-2020-12100/0003-lib-mail-Move-message_parser_init_from_parts-handlin.patch (+923/-0)
debian/patches/CVE-2020-12100/0004-lib-mail-message-parser-Add-a-message_part_finish-he.patch (+70/-0)
debian/patches/CVE-2020-12100/0005-lib-mail-message-parser-Change-message_part_append-t.patch (+65/-0)
debian/patches/CVE-2020-12100/0006-lib-mail-message-parser-Optimize-updating-children_c.patch (+43/-0)
debian/patches/CVE-2020-12100/0007-lib-mail-message-parser-Optimize-appending-new-part-.patch (+91/-0)
debian/patches/CVE-2020-12100/0008-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch (+39/-0)
debian/patches/CVE-2020-12100/0009-lib-mail-message-parser-Truncate-excessively-long-MI.patch (+153/-0)
debian/patches/CVE-2020-12100/0010-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch (+65/-0)
debian/patches/CVE-2020-12100/0011-lib-mail-message-parser-Add-boundary_remove_until-he.patch (+44/-0)
debian/patches/CVE-2020-12100/0012-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch (+167/-0)
debian/patches/CVE-2020-12100/0013-lib-mail-global-message_parser_init-Convert-flags-to.patch (+569/-0)
debian/patches/CVE-2020-12100/0014-lib-mail-message-parser-Support-limiting-max-number-.patch (+328/-0)
debian/patches/CVE-2020-12100/0015-lib-mail-message-parser-Support-limiting-max-number-.patch (+196/-0)
debian/patches/CVE-2020-12100/0016-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch (+120/-0)
debian/patches/CVE-2020-12673/0002-lib-ntlm-Check-buffer-length-on-responses.patch (+34/-0)
debian/patches/CVE-2020-12674/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch (+25/-0)
debian/patches/CVE-2020-24386-1.patch (+25/-0)
debian/patches/CVE-2020-24386-2.patch (+191/-0)
debian/patches/CVE-2020-25275-1.patch (+122/-0)
debian/patches/CVE-2020-25275-2.patch (+66/-0)
debian/patches/CVE-2021-33515.patch (+27/-0)
debian/patches/handle-unbounded-mime.patch (+89/-0)
debian/patches/series (+44/-0)
Changed in dovecot (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in dovecot (Debian): | |
status: | Unknown → Fix Released |
description: | updated |
Changed in dovecot (Ubuntu Focal): | |
status: | Incomplete → In Progress |
description: | updated |
Thank you for taking the time to report this bug and helping to make Ubuntu better.
This is the upstream patch: https:/ /github. com/dovecot/ core/commit/ a668d767a710ca1 8ab6e7177d8e8be 22a6b024fb