[SRU] for broken header parser

Bug #290901 reported by Mathias Gug on 2008-10-29
258
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
High
Mathias Gug
Intrepid
High
Mathias Gug

Bug Description

Dovecot 1.1.6 has just be released fixing an important bug:

The invalid message address parsing bug is pretty important since it
allows a remote user to send broken mail headers and prevent the
recipient from accessing the mailbox afterwards, because the process
will always just crash trying to parse the header. This is assuming that
the IMAP client uses FETCH ENVELOPE command, not all do. Note that it
doesn't affect versions older than v1.1.4.

 + dovecot -n and -a now prints some system information at the top.
 + More error/debug message logging improvements.
 - pop3-login: Fixed assert-crash if a client sent USER+PASS+USER+PASS
   commands in the same IP packet.
 - Parsing an invalid message address like "From: (" caused an
   assert-crash in v1.1.4 and v1.1.5.
 - Folding whitespace wasn't handled correctly inside quoted-strings,
   causing some messages to be parsed incorrectly.
 - mbox: Fixed saving messages that begin with a valid From_-line.

Only intrepid is affected.

SRU Process
========

Impact
---------
As stated in the release notes:

 allows a remote user to send broken mail headers and prevent the
recipient from accessing the mailbox afterwards, because the process
will always just crash trying to parse the header. This is assuming that
the IMAP client uses FETCH ENVELOPE command, not all do.

Patch
--------

One line patch taken from the upstream repository:
http://hg.dovecot.org/dovecot-1.1/raw-rev/48840b2d4b18

--- a/src/lib-mail/message-address.c Thu Oct 23 18:58:22 2008 +0300
+++ b/src/lib-mail/message-address.c Fri Oct 24 01:56:13 2008 +0300
@@ -314,8 +314,7 @@ message_address_parse_real(pool_t pool,
  ctx.str = t_str_new(128);
  ctx.fill_missing = fill_missing;

- ret = rfc822_skip_lwsp(&ctx.parser);
- if (ret == 0) {
+ if (rfc822_skip_lwsp(&ctx.parser) <= 0) {
   /* no addresses */
   return NULL;
  }

How-to reproduce the bug
---------------------------------
Send an email with a From header starting with a ( and that doesn't have a ). Issue a FETCH ENVELOPE command.
Expected result:
Headers containing the envolope of the message.
Actual result:
The imap server closes the connection. There is an assertion failure in the log on the server.

The qa-regression-testing dovecot script has been updated with a test case to cover this bug:
http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/228

Mathias Gug (mathiaz) on 2008-10-29
Changed in dovecot:
importance: Undecided → High
Mathias Gug (mathiaz) wrote :

I've attached a python script that triggers the problem.

description: updated
Mathias Gug (mathiaz) on 2008-11-07
Changed in dovecot:
assignee: nobody → mathiaz
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Martin Pitt (pitti) wrote :

Removed from -proposed on Kees' request:

2008-11-07 16:07:52 INFO Removing candidates:
2008-11-07 16:07:52 INFO dovecot 1:1.1.4-0ubuntu1.1 in intrepid
2008-11-07 16:07:52 INFO dovecot-common 1:1.1.4-0ubuntu1.1 in intrepid lpia
2008-11-07 16:07:52 INFO dovecot-dev 1:1.1.4-0ubuntu1.1 in intrepid lpia
2008-11-07 16:07:52 INFO dovecot-imapd 1:1.1.4-0ubuntu1.1 in intrepid lpia
2008-11-07 16:07:52 INFO dovecot-pop3d 1:1.1.4-0ubuntu1.1 in intrepid lpia
2008-11-07 16:07:52 INFO Removed-by: Martin Pitt
2008-11-07 16:07:52 INFO Comment: handled as security update
2008-11-07 16:07:52 INFO 5 packages successfully removed.

Security team, please reupload through -security.

Changed in dovecot:
status: Fix Committed → In Progress
Kees Cook (kees) on 2008-11-07
Changed in dovecot:
assignee: nobody → mathiaz
status: New → In Progress
Kees Cook (kees) wrote :

This has been published: http://www.ubuntu.com/usn/USN-666-1

Changed in dovecot:
status: In Progress → Fix Released
Kees Cook (kees) on 2009-01-07
Changed in dovecot:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments