CVE-2011-1929 and Dovecot 1.0.10-1ubuntu5.2 in Hardy

Hi Hannes,

Yes, I saw the same thing you did, that apparently the same bit of code appears in src/lib-mail/message-parser.c ; however, my attempts to reproduce the issue on hardy did not meet success. However, prompted by your bug report, I've further attempted to reproduce the issue on hardy and am now able to generate mailbox corruption. I'll generate an update for hardy shortly.

Thanks!

Hi Steve!

Thank you for looking into the issue again! Earlier today, I've sent Dovecot's Timo Sirainen <email address hidden> the same bug report. Maybe the issue will be fixed upstream, too.

The CVE should probably get updated too, since Dovecot 1.0 isn't mentioned yet, as far as I know. Can you do that?

Thanks again,

Hannes

Timo Sirainen explained in an e-mail to Steve and me, adding to his earlier comments on Debian's <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627443#15>: "In v1.0 having a NUL inside header name truncates the header, but I wouldn't call that a security hole. I think even with the v1.1+ patches the header name probably gets truncated in different places. NULs aren't valid in header names, so it doesn't matter that much.

The bug with v1.1+ was that "name" string contained less data than was in "name_len". With v1.0 the code is:

  line->name = str_c(ctx->name);
  line->name_len = str_len(ctx->name);

So name_len isn't larger than name. There is no reading outside allocated buffer."

Apparently a malformed header can't lead to a service crash as in later Dovecot branches; still, if mailbox corruption can happen due to mishandling of malformed headers, as in Steve tests, this is an issue of potential data loss. If only the malformed header line is partially lost, that would be tolerable; if a user's mbox files can get truncated because of malformed header lines, that would be an issue that should be addressed...

@Steve: what happend when you reproduced the issue in Dovecot on Hardy? Just partially lost header lines or corruption of whole mbox files?

Thanks again,

Hannes

Hi,

Sorry for losing track of the issue.

I was getting corrupted headers where because one header had multiple NULLs in it, when dovecot wrote the message back, it ended up dropping that header and merging/corrupting another header. The example I came up with was where the original message looked like so:

  From <email address hidden> Tue Nov 28 11:29:34 2007
  Date^@: Tue, 28 Nov 2007 11:29:34 +0100
  ^@From: ( Test User 4 <email address hidden>
  To: Dovecot tester <email address hidden>
  Sub^@ject: Test 3
  Statu^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
  ^@^@s: R

  Stop cracking!

(note that the ^@ are representations of NULL characters). Causing the message to be written back in dovecot reults i the following:

  From <email address hidden> Tue Nov 28 11:29:34 2007
  Date^@: Tue, 28 Nov 2007 11:29:34 +0100
  ^@From: ( Test User 4 <email address hidden>
  To: Dovecot tester <email address hidden>
  Sub^@ject: Test X-IMAPbase: 1308694311 0000000001
  X-UID: 1
  Status: O

  Stop cracking!

Note that the fake Subject line has the X-IMAPbase header merged into it. I was not able to get more widespread corruption of the mailbox, but didn't try very hard.

Anyway, dovecot in hardy is not affected by the original crashing issue, and so I'm going to close this specific bug report.

Thanks, and sorry again for the delay in following up with this issue.