Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#352482; Package metamail.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
Subject: metamail: crashes with very long boundaries in messages
Package: metamail
Version: 2.7-50
Severity: important
Tags: patch
Hello,
I have found that metamail crashes when processing messages with very long
boundaries. They cause a buffer overflow, which doesn't seem to be exploitable:
metaur@metaur:~$ /usr/bin/metamail < metamail.txt
From: <metaur@localhost>
To: <metaur@localhost>
Subject: metamail crash bug
*** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
Aborted
metaur@metaur:~$
I have attached a test message, as well as a patch.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages metamail depends on:
ii libc6 2.3.5-13 GNU C Library: Shared libraries an
ii libncurses5 5.5-1 Shared libraries for terminal hand
Versions of packages metamail recommends:
ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap
ii sharutils 1:4.2.1-15 shar, unshar, uuencode, uudecode
-- no debconf information
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#352482; Package metamail.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
To: Ulf Harnhammar <metaur@operamail.com>, 352482@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#352482: metamail: crashes with very long boundaries in messages
Date: Sun, 12 Feb 2006 11:20:05 -0500
tag 352482 security
thanks
On Sun, Feb 12, 2006 at 10:34:54AM +0100, Ulf Harnhammar wrote:
> Subject: metamail: crashes with very long boundaries in messages
> Package: metamail
> Version: 2.7-50
BTW, what is in ./metamail, rather than ./src/metamail/??
Is it a different source version?? It has, instead, on line 447:
LineBuf = malloc(LINE_BUF_SIZE);
if (!LineBuf) ExitWithError(nomem);
sprintf(LineBuf, "--%s", boundary);
> I have found that metamail crashes when processing messages with
> very long boundaries. They cause a buffer overflow, which doesn't
> seem to be exploitable:
How is this not [potentially] exploitable?
Justin
Tags added: security
Request was from Justin Pryzby <justinpryzby@users.sourceforge.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#352482; Package metamail.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
To: "Justin Pryzby" <justinpryzby@users.sourceforge.net>,
352482@bugs.debian.org, debian-audit@shellcode.org
Subject: Re: Bug#352482: metamail: crashes with very long boundaries in
messages
Date: Mon, 13 Feb 2006 12:45:46 +0100
> BTW, what is in ./metamail, rather than ./src/metamail/??
I don't know. I noticed that the source is included twice, but I haven't looked into why that is the case. FWIW, if you just patch the source in src and not in ., the resulting binaries seem to be fixed.
> > I have found that metamail crashes when processing messages with
> > very long boundaries. They cause a buffer overflow, which doesn't
> > seem to be exploitable:
> How is this not [potentially] exploitable?
Well, because of the error message that it prints, and because of the way things look in gdb (if I remember correctly, it crashes in strtok() or some similar function). I've been taught that this signifies not being exploitable, but I may be wrong.
What do the others in the Debian Security Audit Project think about this?
// Ulf
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#352482; Package metamail.
(full text, mbox, link).
Acknowledgement sent to Max Vozeler <xam@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
Subject: Re: [Debian-audit] Re: Bug#352482: metamail: crashes with very long boundaries in messages
Date: Mon, 13 Feb 2006 13:46:42 +0100
On Mon, Feb 13, 2006 at 12:45:46PM +0100, Ulf Harnhammar wrote:
> > How is this not [potentially] exploitable?
>
> Well, because of the error message that it prints, and because of
> the way things look in gdb (if I remember correctly, it crashes in
> strtok() or some similar function). I've been taught that this
> signifies not being exploitable, but I may be wrong.
In my quick test with 2.7-50 from sid, it's the safety checks
in _int_free() that abort the process.
> What do the others in the Debian Security Audit Project think about
> this?
| From: <metaur@localhost>
| To: <metaur@localhost>
| Subject: metamail crash bug
|
| *** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
| Aborted
| metaur@metaur:~$
This may in fact be exploitable. The error indicates that a
malloc chunk header has been corrupted. Depending on the exact
circumstances - the version of glibc and the order of memory
allocations/frees in metamail - this may (or may not) be possible
to use for writing to arbitrary memory locations. Without having
looked at it in detail, I would consider this bug exploitable
unless it's proven not to be.
cheers,
Max
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#352482; Package metamail.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
Severity set to `serious'.
Request was from Aníbal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#352482; Package metamail.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
Source: metamail
Source-Version: 2.7-51
We believe that the bug you reported is fixed in the latest version of
metamail, which is due to be installed in the Debian FTP archive:
metamail_2.7-51.diff.gz
to pool/main/m/metamail/metamail_2.7-51.diff.gz
metamail_2.7-51.dsc
to pool/main/m/metamail/metamail_2.7-51.dsc
metamail_2.7-51_i386.deb
to pool/main/m/metamail/metamail_2.7-51_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 352482@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated metamail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 Feb 2006 09:17:36 +1100
Source: metamail
Binary: metamail
Architecture: source i386
Version: 2.7-51
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
metamail - implementation of MIME
Closes: 352482353539
Changes:
metamail (2.7-51) unstable; urgency=high
.
* QA upload.
* Fixed "[CVE-2006-0709] crashes with very long boundaries in
messages", closes: #352482, #353539. Patch thanks to
Ulf Harnhammar <metaur@telia.com>.
Files:
48cdeddf6218467b783109a06159a9f8 597 mail optional metamail_2.7-51.dsc
8152ee3780223118a18e4d0969a6ddad 321763 mail optional metamail_2.7-51.diff.gz
477ec68982615ed2b72178ab4948c102 150530 mail optional metamail_2.7-51_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD/O1OipBneRiAKDwRAr3VAJ9d9vy4JYZ0B0EzP+mhkvOFq7gv/QCcDha+
tQh7uTB40WCJS6z+EqqIdUo=
=YHUq
-----END PGP SIGNATURE-----
Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Ulf Harnhammar" <metaur@operamail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: metamail
Source-Version: 2.7-51
We believe that the bug you reported is fixed in the latest version of
metamail, which is due to be installed in the Debian FTP archive:
metamail_2.7-51.diff.gz
to pool/main/m/metamail/metamail_2.7-51.diff.gz
metamail_2.7-51.dsc
to pool/main/m/metamail/metamail_2.7-51.dsc
metamail_2.7-51_i386.deb
to pool/main/m/metamail/metamail_2.7-51_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 353539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated metamail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 Feb 2006 09:17:36 +1100
Source: metamail
Binary: metamail
Architecture: source i386
Version: 2.7-51
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
metamail - implementation of MIME
Closes: 352482353539
Changes:
metamail (2.7-51) unstable; urgency=high
.
* QA upload.
* Fixed "[CVE-2006-0709] crashes with very long boundaries in
messages", closes: #352482, #353539. Patch thanks to
Ulf Harnhammar <metaur@telia.com>.
Files:
48cdeddf6218467b783109a06159a9f8 597 mail optional metamail_2.7-51.dsc
8152ee3780223118a18e4d0969a6ddad 321763 mail optional metamail_2.7-51.diff.gz
477ec68982615ed2b72178ab4948c102 150530 mail optional metamail_2.7-51_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD/O1OipBneRiAKDwRAr3VAJ9d9vy4JYZ0B0EzP+mhkvOFq7gv/QCcDha+
tQh7uTB40WCJS6z+EqqIdUo=
=YHUq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 07:28:01 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.