Debian Bug report logs - #100394
SPAM crashes fetchmail

version graph

Package: fetchmail; Maintainer for fetchmail is Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>; Source for fetchmail is src:fetchmail.

Reported by: Wolfram Kleff <kleff@cs.uni-bonn.de>

Date: Sun, 10 Jun 2001 14:06:54 UTC

Severity: normal

Found in version 5.7.1-2

Done: Henrique de Moraes Holschuh <hmh@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Wolfram Kleff <kleff@cs.uni-bonn.de>:
New Bug report received and forwarded. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Wolfram Kleff <kleff@cs.uni-bonn.de>
To: submit@bugs.debian.org
Subject: SPAM crashes fetchmail
Date: Sun, 10 Jun 2001 15:43:14 +0200 (CEST)
Package: fetchmail
Version: 5.7.1-2

fetchmail has two problems with SPAM mails:
1)
fetchmail crashes with segfault with SPAM mail with large "To: " lines.
The "To: " line is for example > 25000 chars long.
2)
fetchmail crashes with timeout on some mails because it doesn't detect the
last "."
This is rare but always reproduceable - I'm not sure about the reason.

Both problems are specific to fetchmail and reproduceable - another POP fetch
utility has no such problems.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 100394@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Wolfram Kleff <kleff@cs.uni-bonn.de>, 100394@bugs.debian.org
Subject: Re: Bug#100394: SPAM crashes fetchmail
Date: Mon, 11 Jun 2001 19:23:19 -0300
On Sun, 10 Jun 2001, Wolfram Kleff wrote:
> Package: fetchmail
> Version: 5.7.1-2
> 
> fetchmail has two problems with SPAM mails:
> 1)
> fetchmail crashes with segfault with SPAM mail with large "To: " lines.
> The "To: " line is for example > 25000 chars long.
> 2)
> fetchmail crashes with timeout on some mails because it doesn't detect the
> last "."
> This is rare but always reproduceable - I'm not sure about the reason.

Please send me fetchmail -v -v debug dumps showing the above bugs, that will
help me fix the problem. If you know how to use gdb, please give me a stack
trace of the segfault in the first bug.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org, Henrique de Moraes Holschuh <hmh@debian.org>:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Wolfram Kleff <kleff@cs.uni-bonn.de>:
Extra info received and forwarded to list. Copy sent to Henrique de Moraes Holschuh <hmh@debian.org>. Full text and rfc822 format available.

Message #15 received at 100394@bugs.debian.org (full text, mbox):

From: Wolfram Kleff <kleff@cs.uni-bonn.de>
To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: 100394@bugs.debian.org, esr@snark.thyrsus.com
Subject: Re: Bug#100394: SPAM crashes fetchmail
Date: Tue, 12 Jun 2001 01:06:13 +0200 (CEST)
On 11-Jun-2001 Henrique de Moraes Holschuh wrote:
> On Sun, 10 Jun 2001, Wolfram Kleff wrote:
>> Package: fetchmail
>> Version: 5.7.1-2
>> 
>> fetchmail has two problems with SPAM mails:
>> 1)
>> fetchmail crashes with segfault with SPAM mail with large "To: " lines.
>> The "To: " line is for example > 25000 chars long.
>> 2)
>> fetchmail crashes with timeout on some mails because it doesn't detect the
>> last "."
>> This is rare but always reproduceable - I'm not sure about the reason.
> 
> Please send me fetchmail -v -v debug dumps showing the above bugs, that will
> help me fix the problem.

Erm, whats so incomprehensible about my bug report?
Just give fetchmail a large "To: " line and it crashes....

But as you like:
[...]
fetchmail: POP3> RETR 1
fetchmail: POP3< +OK
fetchmail: reading message [...]
fetchmail: About to rewrite To: [blabla - truncated]
...crash without the full "To: " line.
Looks like the "usual" buffer overflow...

I suppose its also a _security_ bug. Someone sends a "special" email - and if he
is skilled enough he can gain root access, spy email passwords, etc. :-(





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 100394@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Wolfram Kleff <kleff@cs.uni-bonn.de>
Cc: 100394@bugs.debian.org, esr@snark.thyrsus.com
Subject: Re: Bug#100394: SPAM crashes fetchmail
Date: Mon, 11 Jun 2001 22:51:08 -0300
Hi Wolfram!

On Tue, 12 Jun 2001, Wolfram Kleff wrote:

> 
> On 11-Jun-2001 Henrique de Moraes Holschuh wrote:
> > On Sun, 10 Jun 2001, Wolfram Kleff wrote:
> > Please send me fetchmail -v -v debug dumps showing the above bugs, that will
> > help me fix the problem.
> 
> Erm, whats so incomprehensible about my bug report?

Nothing incomprehensible, but the dump usually tells me more about your
configuration. E.g., if multidrop is on, and things like that.

> Just give fetchmail a large "To: " line and it crashes....
> 
> But as you like:
> [...]
> fetchmail: POP3> RETR 1
> fetchmail: POP3< +OK
> fetchmail: reading message [...]
> fetchmail: About to rewrite To: [blabla - truncated]
> ...crash without the full "To: " line.
> Looks like the "usual" buffer overflow...

Indeed it does. I'm on this one and I shall have a fix soon.

> I suppose its also a _security_ bug. Someone sends a "special" email - and if he
> is skilled enough he can gain root access, spy email passwords, etc. :-(

Maybe. Let me see what causes the crash, the header rewriting code does way
too much ugly magic with pointers, and may be crashing because of something
else.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 100394@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Wolfram Kleff <kleff@cs.uni-bonn.de>
Cc: 100394@bugs.debian.org
Subject: Re: Bug#100394: SPAM crashes fetchmail
Date: Tue, 12 Jun 2001 00:59:18 -0300
> Erm, whats so incomprehensible about my bug report?
> Just give fetchmail a large "To: " line and it crashes....

Unfortunately all email/pop3 servers I have access to right now are too good
to allow such a cretin To: line through (they rewrite it to "undisclosed
recipients"), so I cannot readly test the problem.

Please run:

strace -o /tmp/strace.output fetchmail -v -v >/tmp/fetchmail.output

Please edit the /tmp/strace.output file and REMOVE your passwords from it
(change them to "**" or whatever), and email me the two output files. The
strace should tell me exactly where in the program code fetchmail is
crashing.  Either that or run fetchmail under gdb and give me a backtrace of
the segfault (I think the fetchmail FAQ teaches how to do this, if you don't
already know).

Otherwise, this bug will have to wait until I can setup a pop3/imap server
under my control to feed it a big "To:".

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #30 received at 100394@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Wolfram Kleff <kleff@cs.uni-bonn.de>
Cc: 100394@bugs.debian.org
Subject: Re: Bug#100394: SPAM crashes fetchmail
Date: Tue, 12 Jun 2001 01:13:45 -0300
On Tue, 12 Jun 2001, Henrique de Moraes Holschuh wrote:
> Unfortunately all email/pop3 servers I have access to right now are too good
> to allow such a cretin To: line through (they rewrite it to "undisclosed
> recipients"), so I cannot readly test the problem.

Never mind, I found a way to reproduce the crash... nxtaddr() in rfc822.c
overruns address[]. It crashes on line 219 (the for(; *hp ; hp++) line.

Time to fix this ugly mess.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#100394; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #35 received at 100394@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Wolfram Kleff <kleff@cs.uni-bonn.de>, 100394@bugs.debian.org
Subject: [PATCH] tentative fix
Date: Tue, 12 Jun 2001 02:32:03 -0300
[Message part 1 (text/plain, inline)]
Well, here's a first try at a fix. Cute little buffer overflow, this one...
I hate pointer arithmetric, so I cleaned the code up to use arrays.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
[patch (text/plain, attachment)]

Reply sent to Henrique de Moraes Holschuh <hmh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Wolfram Kleff <kleff@cs.uni-bonn.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 100394-done@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Wolfram Kleff <kleff@cs.uni-bonn.de>
Cc: 100394-done@bugs.debian.org
Subject: Fixed in 5.8.5-2 and 5.8.6-1
Date: Wed, 13 Jun 2001 17:06:15 -0300
Fixed in 5.8.5-2 and 5.8.6-1 of both fetchmail and fetchmail-ssl.
Closing bug manually due to typo in changelog file.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:19:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.