[SRU] for broken header parser
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dovecot (Ubuntu) |
Fix Released
|
High
|
Mathias Gug | ||
Intrepid |
Fix Released
|
High
|
Mathias Gug |
Bug Description
Dovecot 1.1.6 has just be released fixing an important bug:
The invalid message address parsing bug is pretty important since it
allows a remote user to send broken mail headers and prevent the
recipient from accessing the mailbox afterwards, because the process
will always just crash trying to parse the header. This is assuming that
the IMAP client uses FETCH ENVELOPE command, not all do. Note that it
doesn't affect versions older than v1.1.4.
+ dovecot -n and -a now prints some system information at the top.
+ More error/debug message logging improvements.
- pop3-login: Fixed assert-crash if a client sent USER+PASS+USER+PASS
commands in the same IP packet.
- Parsing an invalid message address like "From: (" caused an
assert-crash in v1.1.4 and v1.1.5.
- Folding whitespace wasn't handled correctly inside quoted-strings,
causing some messages to be parsed incorrectly.
- mbox: Fixed saving messages that begin with a valid From_-line.
Only intrepid is affected.
SRU Process
========
Impact
---------
As stated in the release notes:
allows a remote user to send broken mail headers and prevent the
recipient from accessing the mailbox afterwards, because the process
will always just crash trying to parse the header. This is assuming that
the IMAP client uses FETCH ENVELOPE command, not all do.
Patch
--------
One line patch taken from the upstream repository:
http://
--- a/src/lib-
+++ b/src/lib-
@@ -314,8 +314,7 @@ message_
ctx.str = t_str_new(128);
ctx.fill_missing = fill_missing;
- ret = rfc822_
- if (ret == 0) {
+ if (rfc822_
/* no addresses */
return NULL;
}
How-to reproduce the bug
-------
Send an email with a From header starting with a ( and that doesn't have a ). Issue a FETCH ENVELOPE command.
Expected result:
Headers containing the envolope of the message.
Actual result:
The imap server closes the connection. There is an assertion failure in the log on the server.
The qa-regression-
http://
CVE References
Changed in dovecot: | |
importance: | Undecided → High |
Changed in dovecot: | |
assignee: | nobody → mathiaz |
status: | New → Fix Committed |
Changed in dovecot: | |
assignee: | nobody → mathiaz |
status: | New → In Progress |
Changed in dovecot: | |
status: | In Progress → Fix Released |
I've attached a python script that triggers the problem.