bug#1808: marked as done (mutt: hangs on ill-formatted mail)
Your message dated Wed, 18 Feb 2004 00:58:12 +0100
with message-id <20040217235812.GE12411@xxxxxxxxxxxxxxxxxxx>
and subject line Bug#233106: mutt: hangs on ill-formatted mail
has caused the attached bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Herr der Kaefer
(administrator, GUUG bugs database)
--------------------------------------
Received: (at submit) by bugs.guug.de; 16 Feb 2004 22:59:37 +0000
>From md@xxxxxxxx Mon Feb 16 23:59:27 2004
Received: from attila.bofh.it ([213.92.8.2] ident=postfix)
by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
id 1Asri2-0006ah-00
for <submit@xxxxxxxxxxxx>; Mon, 16 Feb 2004 23:59:27 +0100
Received: by attila.bofh.it (Postfix, from userid 10)
id 98A885F8A4; Tue, 17 Feb 2004 00:02:14 +0100 (CET)
Received: by wonderland.linux.it (Postfix, from userid 1001)
id 7A9001BEBD; Tue, 17 Feb 2004 00:01:52 +0100 (CET)
From: Marco d'Itri <md@xxxxxxxx>
To: submit@xxxxxxxxxxxx
Subject: mutt: hangs on ill-formatted mail
X-GUUG-CC: 233106@xxxxxxxxxxxxxxx
Message-Id: <20040216230152.7A9001BEBD@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 17 Feb 2004 00:01:52 +0100 (CET)
X-Spam-Status: No, hits=-102.2 required=4.0
tests=AWL,USER_IN_WHITELIST
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Package: mutt
Version: 1.5.5.1-20040112+1
Severity: normal
[NOTE: this bug report has been submitted to the debian BTS as Bug#233106.
Please Cc all your replies to 233106@xxxxxxxxxxxxxxx .]
From: Philipp Weis <pweis@xxxxxxxxx>
Subject: mutt: hangs on ill-formatted mail
Date: Mon, 16 Feb 2004 23:36:58 +0100
The attached mail (as mbox) can not be opened with mutt. It just hangs
and uses all available cpu resources. The message seems to be somewhat
ill-formatted.
If you cannot reproduce this, please let me know and I will try to
isolate the problem or send you my config files.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (600, 'unstable'), (570, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.2
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
Versions of packages mutt depends on:
ii exim4-daemon-light [mail- 4.30-5 Lightweight version of the Exim (v
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii libidn11 0.3.4-1 GNU libidn library, implementation
ii libncursesw5 5.3.20030719-5 Shared libraries for terminal hand
ii libsasl2 2.1.15-6 Authentication abstraction library
-- no debconf information
--
Philipp Weis pweis@xxxxxxxxx
Freiburg, Germany http://pweis.com/
>From pweis@xxxxxxxxxxxxxxxx Mon Feb 16 23:04:04 2004
Return-path: <pweis@xxxxxxxxxxxxxxxx>
Envelope-to: pweis@localhost
Delivery-date: Mon, 16 Feb 2004 23:04:04 +0100
Received: from localhost ([127.0.0.1])
by zaphod with esmtp (Exim 4.30 #1 (Debian))
id 1AsqqP-0000C4-TU
for <pweis@localhost>; Mon, 16 Feb 2004 23:04:02 +0100
Received: from arthur.pweis.com [217.160.179.57]
by localhost with IMAP (fetchmail-6.2.4)
for pweis@localhost (single-drop); Mon, 16 Feb 2004 23:04:01 +0100 (CET)
Received: from pweis by arthur.pweis.com with local (Exim 4.30 #1 (Debian))
id 1AsmBd-000581-UK
for <pweis@zaphod>; Mon, 16 Feb 2004 18:05:37 +0100
Received: from outgoing3.securityfocus.com ([205.206.231.27])
by arthur.pweis.com with esmtp (Exim 4.30 #1 (Debian))
id 1AsmBZ-00057N-EL
for <pweis@xxxxxxxxx>; Mon, 16 Feb 2004 18:05:33 +0100
Received: from lists2.securityfocus.com (lists2.securityfocus.com
[205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7BFD8A30D5; Mon, 16 Feb 2004 11:03:04 -0700 (MST)
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 21742 invoked from network); 15 Feb 2004 09:33:07 -0000
Date: 15 Feb 2004 15:41:52 -0000
Message-ID: <20040215154152.32653.qmail@xxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain
Content-Disposition: inline
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: LynX <_lynx@xxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: problems with database files in 'SignatureDB'
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score 2.7/5.0 [no]
Scanned by SpamAssassin 2.63 (2004-01-11) on arthur.
0.7 MIME_QP_NO_CHARSET RAW: Quoted-printable inline text with no
charset
1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
X-CRM114-Status: Good ( pR: 54.6872 )
X-Label: unknown
Status-Arthur: O
X-UID: 1581
X-Keywords:
Status: O
Content-Length: 4489
Lines: 145
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
=0D
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =
- - - - -=0D
File: LynX-adv4_SignatureDB.txt=0D
Date: 15/02/2004=0D
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =
- - - - - =0D
=0D
o NAME: problems with database files in 'SignatureDB'=0D
=0D
o CLASS: denial of service (DOS)=0D
=0D
o PROGRAMM: SignatureDB [http://pldaniels.com/signaturedb/]=0D
- Affected versions: 0.1.1=0D
- Immune versions: -=0D
=0D
o OS: Linux and UNIX clones=0D
=0D
o VENDOR: Paul L Daniels <pldaniels@xxxxxxxxxxxxx>=0D
=0D
o DESCRIPTION:=0D
'SignatureDB' is actually two components, a signature database which i=
s=0D
available on the internet, and a 'signatureID' program, which scans you=
r files.=0D
You can in effect consider 'SDB/ID' in the same way you consider and us=
e an=0D
'AntiVirus' program, but 'SDB/ID' are aimed at a slightly different sec=
tor of=0D
the industry. Its purpose is to provide signatures/fingerprints of comm=
on,=0D
annoying emails/files, not specifically viruses.=0D
=0D
o VULNERABILITY DESCRIPTION:=0D
'SignatureDB' package contain 'sdbscan' program, which scans files, in=
=0D
according with specified database file. It is possible to create a big =
'key'=0D
parameter in this file, that will reduce to 'Segmentation fault'. Funct=
ion which=0D
work with contents of database files, are located in 'ringsearch.c' fil=
e. =0D
After '#' - going my comments.=0D
=0D
Cut from file: 'ringsearch.h'=0D
...=0D
33 struct _infonode {=0D
34 char key[20];=0D
35 char *comment;=0D
36 int major;=0D
37 int minor;=0D
38 int flags;=0D
39 };=0D
...=0D
=0D
Cut from file: 'ringsearch.c'=0D
...=0D
537 int RS_load_keys( struct _snode *parent, char *fname ){=0D
/* # where 'fname' - database filename */=0D
...=0D
541 char line[10240]; /* # allocating memory for 10240 bytes, and the=
n use */=0D
/* # only 1024, maybe author was mistaken and l=
ast 0 */=0D
/* # is unnecessary :) */=0D
...=0D
562 while (fgets(line, 1023, f)){=0D
...=0D
582 sprintf(info->key,"%s",key); /* # size of 'key' are not checkin=
g, its */=0D
/* # can be =3D< 1018 bytes, and s=
ize of */=0D
/* # 'info->key' is equal 20 bytes=
, so */=0D
/* # 'info->key' can be overflowed=
*/=0D
...=0D
=0D
Its only first version of 'SignatureDB', so i think that in the next v=
ersions=0D
this problem will be fixed.=0D
P.S. Sorry, for my poor english :).=0D
=0D
o VULNERABILITY PREVENTION:=0D
Instead of using 'sprintf' function, will be more correct to use funct=
ion=0D
'snprintf'.=0D
=0D
o EXPLOITING:=0D
It is possible to specify configuration file for 'sdbscan' program, in=
this=0D
file you may type path to your own database file, which contents can ca=
use=0D
buffer overflow and then 'Segmentation fault'.=0D
=0D
Example of exploiting :=0D
=0D
[LynX@ /tmp]$ cat my.conf=0D
dbfile=3D/tmp/fake.db=0D
verbose=3D1=0D
fastscan=3D0=0D
fastexit=3D0=0D
[LynX@ /tmp]$ cat fake.db=0D
AAA ... '1000 x A' ... AAA:1:1:1:1:A:A=0D
[LynX@ /tmp]$ sdbscan --conf_file=3Dmy.conf=0D
Segmentation fault (core dumped) =0D
[LynX@ /tmp]$=0D
=0D
o VENDOR RESPONSE:=0D
I sent notification mail to the Paul Daniels <pldaniels@xxxxxxxxxxxxx>=
and=0D
did not received an answer.=0D
=0D
o CREDITS:=0D
- Thanks: nob0dy, netc0de, Xarth=0D
- Greets: R00T T34M [http://rootteam.void.ru],=0D
void,=0D
LimpidByte,=0D
=0D
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =
- - - - -=0D
Discovere=
d by LynX=0D
<_Ly=
nX@xxxxx>=0D
/ close your eyes & dream =
with me /=0D
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =
- - - - - =0D
=0D
=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.0.4 (GNU/Linux)=0D
Comment: For info see http://www.gnupg.org=0D
=0D
iEYEARECAAYFAkAv8HMACgkQjvZ3gq5fCnGA8gCgnqItklxup0YzArOkT6nn+kNI=0D
5BgAoOf+SFgV1vXH73RcdzIWXbdXa8NK=0D
=3DiIIl=0D
-----END PGP SIGNATURE-----=0D
---------------------------------------
Received: (at 1808-done) by bugs.guug.de; 17 Feb 2004 23:55:38 +0000
>From md@xxxxxxxx Wed Feb 18 00:55:36 2004
Received: from attila.bofh.it ([213.92.8.2] ident=postfix)
by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
id 1AtF3w-0005kH-00
for <1808-done@xxxxxxxxxxxx>; Wed, 18 Feb 2004 00:55:36 +0100
Received: by attila.bofh.it (Postfix, from userid 10)
id 86FC35F7B5; Wed, 18 Feb 2004 00:58:23 +0100 (CET)
Received: by wonderland.linux.it (Postfix, from userid 1001)
id 4885B1BF10; Wed, 18 Feb 2004 00:58:12 +0100 (CET)
Date: Wed, 18 Feb 2004 00:58:12 +0100
From: Marco d'Itri <md@xxxxxxxx>
To: Philipp Weis <pweis@xxxxxxxxx>, 233106-done@xxxxxxxxxxxxxxx
Cc: Laurent Fousse <laurent@xxxxxxxxxx>, 1808-done@xxxxxxxxxxxx
Subject: Re: Bug#233106: mutt: hangs on ill-formatted mail
Message-ID: <20040217235812.GE12411@xxxxxxxxxxxxxxxxxxx>
References: <20040216223658.GA6862@xxxxxxxxxxxxxxxx>
<20040217141708.GA2980@kolvir> <20040217233106.GA18440@xxxxxxxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ"
Content-Disposition: inline
In-Reply-To: <20040217233106.GA18440@xxxxxxxxxxxxxxxx>
User-Agent: Mutt/1.5.5.1+cvs20040105i
X-Spam-Status: No, hits=-105.6 required=4.0
tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,
REPLY_WITH_QUOTES,USER_AGENT_MUTT,USER_IN_WHITELIST
autolearn=ham version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Feb 18, Philipp Weis <pweis@xxxxxxxxx> wrote:
>message-hook '!(~g|~G) ~b"^-----BEGIN\ PGP\ (SIGNED\ )?MESSAGE"' "exec ch=
eck-traditional-pgp"
This was already discussed, I don't remember the details but I ended up
removing this line from the default configuration, because it cannot
work.
--=20
ciao, |
Marco | [4652 acekiA9DB.YEA]
--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAMqqUFGfw2OHuP7ERAidAAJsELuqmQpzy1eDivuQ52cWPJ33LFQCeK5l4
NZGNFzV3BZZlb/PLJCr9QHk=
=GgfP
-----END PGP SIGNATURE-----
--mP3DRpeJDSE+ciuQ--