Debian Bug report logs - #352482
metamail: [CVE-2006-0709] crashes with very long boundaries in messages

version graph

Package: metamail; Maintainer for metamail is (unknown);

Reported by: "Ulf Harnhammar" <metaur@operamail.com>

Date: Sun, 12 Feb 2006 10:03:03 UTC

Severity: serious

Tags: patch, security

Merged with 353539

Found in version metamail/2.7-50

Fixed in version metamail/2.7-51

Done: Anibal Monsalve Salazar <anibal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#352482; Package metamail. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: submit@bugs.debian.org
Subject: metamail: crashes with very long boundaries in messages
Date: Sun, 12 Feb 2006 10:34:54 +0100
[Message part 1 (text/plain, inline)]
Subject: metamail: crashes with very long boundaries in messages
Package: metamail
Version: 2.7-50
Severity: important
Tags: patch

Hello,

I have found that metamail crashes when processing messages with very long
boundaries. They cause a buffer overflow, which doesn't seem to be exploitable:


metaur@metaur:~$ /usr/bin/metamail < metamail.txt
From: <metaur@localhost>
To: <metaur@localhost>
Subject: metamail crash bug

*** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
Aborted
metaur@metaur:~$


I have attached a test message, as well as a patch.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages metamail depends on:
ii  libc6                         2.3.5-13   GNU C Library: Shared libraries an
ii  libncurses5                   5.5-1      Shared libraries for terminal hand

Versions of packages metamail recommends:
ii  mime-support                  3.35-1     MIME files 'mime.types' & 'mailcap
ii  sharutils                     1:4.2.1-15 shar, unshar, uuencode, uudecode

-- no debconf information



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze
[metamail.txt (text/plain, attachment)]
[metamail.boundarycrash.patch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#352482; Package metamail. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #10 received at 352482@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: Ulf Harnhammar <metaur@operamail.com>, 352482@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#352482: metamail: crashes with very long boundaries in messages
Date: Sun, 12 Feb 2006 11:20:05 -0500
tag 352482 security
thanks

On Sun, Feb 12, 2006 at 10:34:54AM +0100, Ulf Harnhammar wrote:
> Subject: metamail: crashes with very long boundaries in messages
> Package: metamail
> Version: 2.7-50
BTW, what is in ./metamail, rather than ./src/metamail/??

Is it a different source version??  It has, instead, on line 447:

	LineBuf = malloc(LINE_BUF_SIZE);
	if (!LineBuf) ExitWithError(nomem);
	sprintf(LineBuf, "--%s", boundary);

> I have found that metamail crashes when processing messages with
> very long boundaries. They cause a buffer overflow, which doesn't
> seem to be exploitable:
How is this not [potentially] exploitable?

Justin



Tags added: security Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#352482; Package metamail. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #17 received at 352482@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: "Justin Pryzby" <justinpryzby@users.sourceforge.net>, 352482@bugs.debian.org, debian-audit@shellcode.org
Subject: Re: Bug#352482: metamail: crashes with very long boundaries in messages
Date: Mon, 13 Feb 2006 12:45:46 +0100
> BTW, what is in ./metamail, rather than ./src/metamail/??

I don't know. I noticed that the source is included twice, but I haven't looked into why that is the case. FWIW, if you just patch the source in src and not in ., the resulting binaries seem to be fixed.

> > I have found that metamail crashes when processing messages with
> > very long boundaries. They cause a buffer overflow, which doesn't
> > seem to be exploitable:

> How is this not [potentially] exploitable?

Well, because of the error message that it prints, and because of the way things look in gdb (if I remember correctly, it crashes in strtok() or some similar function).  I've been taught that this signifies not being exploitable, but I may be wrong.

What do the others in the Debian Security Audit Project think about this?

// Ulf



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#352482; Package metamail. Full text and rfc822 format available.

Acknowledgement sent to Max Vozeler <xam@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #22 received at 352482@bugs.debian.org (full text, mbox):

From: Max Vozeler <xam@debian.org>
To: Ulf Harnhammar <metaur@operamail.com>
Cc: Justin Pryzby <justinpryzby@users.sourceforge.net>, 352482@bugs.debian.org, debian-audit@shellcode.org
Subject: Re: [Debian-audit] Re: Bug#352482: metamail: crashes with very long boundaries in messages
Date: Mon, 13 Feb 2006 13:46:42 +0100
On Mon, Feb 13, 2006 at 12:45:46PM +0100, Ulf Harnhammar wrote:
> > How is this not [potentially] exploitable?
> 
> Well, because of the error message that it prints, and because of 
> the way things look in gdb (if I remember correctly, it crashes in
> strtok() or some similar function).  I've been taught that this
> signifies not being exploitable, but I may be wrong.

In my quick test with 2.7-50 from sid, it's the safety checks
in _int_free() that abort the process.

> What do the others in the Debian Security Audit Project think about
> this?

| From: <metaur@localhost>
| To: <metaur@localhost>
| Subject: metamail crash bug
| 
| *** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
| Aborted
| metaur@metaur:~$

This may in fact be exploitable. The error indicates that a 
malloc chunk header has been corrupted. Depending on the exact
circumstances - the version of glibc and the order of memory
allocations/frees in metamail - this may (or may not) be possible
to use for writing to arbitrary memory locations. Without having
looked at it in detail, I would consider this bug exploitable
unless it's proven not to be.

cheers,
Max



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#352482; Package metamail. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #27 received at 352482@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: 352482@bugs.debian.org
Subject: It's a vuln
Date: Wed, 22 Feb 2006 13:00:51 +0100
This is CVE-2006-0709 now.

Additionally, Red Hat sound confident that this is exploitable:

"This issue is a pretty standard heap based buffer overflow."

-- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181665

They have issued a security advisory with severity set to important:

https://rhn.redhat.com/errata/RHSA-2006-0217.html

// Ulf



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze



Severity set to `serious'. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#352482; Package metamail. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #34 received at 352482@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: <352482@bugs.debian.org>
Date: Wed, 22 Feb 2006 13:24:49 -0500
In particular, this is CVE-2006-0709.



Changed Bug title. Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 352482 353539. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Ulf Harnhammar" <metaur@operamail.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 352482-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 352482-close@bugs.debian.org
Subject: Bug#352482: fixed in metamail 2.7-51
Date: Wed, 22 Feb 2006 15:17:11 -0800
Source: metamail
Source-Version: 2.7-51

We believe that the bug you reported is fixed in the latest version of
metamail, which is due to be installed in the Debian FTP archive:

metamail_2.7-51.diff.gz
  to pool/main/m/metamail/metamail_2.7-51.diff.gz
metamail_2.7-51.dsc
  to pool/main/m/metamail/metamail_2.7-51.dsc
metamail_2.7-51_i386.deb
  to pool/main/m/metamail/metamail_2.7-51_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 352482@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated metamail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 23 Feb 2006 09:17:36 +1100
Source: metamail
Binary: metamail
Architecture: source i386
Version: 2.7-51
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 metamail   - implementation of MIME
Closes: 352482 353539
Changes: 
 metamail (2.7-51) unstable; urgency=high
 .
   * QA upload.
   * Fixed "[CVE-2006-0709] crashes with very long boundaries in
     messages", closes: #352482, #353539. Patch thanks to
     Ulf Harnhammar <metaur@telia.com>.
Files: 
 48cdeddf6218467b783109a06159a9f8 597 mail optional metamail_2.7-51.dsc
 8152ee3780223118a18e4d0969a6ddad 321763 mail optional metamail_2.7-51.diff.gz
 477ec68982615ed2b72178ab4948c102 150530 mail optional metamail_2.7-51_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD/O1OipBneRiAKDwRAr3VAJ9d9vy4JYZ0B0EzP+mhkvOFq7gv/QCcDha+
tQh7uTB40WCJS6z+EqqIdUo=
=YHUq
-----END PGP SIGNATURE-----




Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Ulf Harnhammar" <metaur@operamail.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 353539-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 353539-close@bugs.debian.org
Subject: Bug#353539: fixed in metamail 2.7-51
Date: Wed, 22 Feb 2006 15:17:11 -0800
Source: metamail
Source-Version: 2.7-51

We believe that the bug you reported is fixed in the latest version of
metamail, which is due to be installed in the Debian FTP archive:

metamail_2.7-51.diff.gz
  to pool/main/m/metamail/metamail_2.7-51.diff.gz
metamail_2.7-51.dsc
  to pool/main/m/metamail/metamail_2.7-51.dsc
metamail_2.7-51_i386.deb
  to pool/main/m/metamail/metamail_2.7-51_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 353539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated metamail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 23 Feb 2006 09:17:36 +1100
Source: metamail
Binary: metamail
Architecture: source i386
Version: 2.7-51
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 metamail   - implementation of MIME
Closes: 352482 353539
Changes: 
 metamail (2.7-51) unstable; urgency=high
 .
   * QA upload.
   * Fixed "[CVE-2006-0709] crashes with very long boundaries in
     messages", closes: #352482, #353539. Patch thanks to
     Ulf Harnhammar <metaur@telia.com>.
Files: 
 48cdeddf6218467b783109a06159a9f8 597 mail optional metamail_2.7-51.dsc
 8152ee3780223118a18e4d0969a6ddad 321763 mail optional metamail_2.7-51.diff.gz
 477ec68982615ed2b72178ab4948c102 150530 mail optional metamail_2.7-51_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD/O1OipBneRiAKDwRAr3VAJ9d9vy4JYZ0B0EzP+mhkvOFq7gv/QCcDha+
tQh7uTB40WCJS6z+EqqIdUo=
=YHUq
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 07:28:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:38:31 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.