Summary: | mail-client/nmh 1.0.4 has buffer overrun on ill formatted email | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Seth Robertson <in-gentoo> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | aeriksson, net-mail+disabled | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | C2 [glsa?] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Seth Robertson
2004-07-21 12:48:04 UTC
No confirmation from upstream yet. Please note that investigation of the nmh bug database suggests there has been no activity about submitted bugs since Sep 30, 2003 In other words, I'm not planning on holding my breath for word from upstream. net-mail herd, please confirm / fix / comment on this. Created attachment 36141 [details, diff]
proposed patch1
the reporter forgot to attched the patches, so I attached his/her patches that
he/she submitted to upstream.
Created attachment 36142 [details, diff]
proposed patch2
@security:
please take a look at the proposed patches and advise us which one is
preferred. TIA.
Seth, please attached a plaintext file foo.txt so that we can reproduce with `inc -file foo.txt`. OTH, mailutils provide mh utilities, can you try it to see if it works for you? Created attachment 36219 [details]
Example mbox which will dump core
Here is an example mailbox which will dump core on an unpatched system when
`inc -file sample`
I'll see if I cannot try mailutils "soon".
Seth, I can't reproduce this on my system (~x86. I don't have a x86 setup to test with.) May be someone else can confirm this bug. $ inc -file /tmp/sample.1 You already have the standard nmh directory "/home/langthang/Mail". Do you want to use it for nmh? y [Using existing directory] Incorporating new mail into inbox... 1+ 07/20 "Bounced mail" Returned mail: Data format error<<This is a mult 2 07/21 "Dr George Tete" FROM THE DESK OF GEORGE TETE<<FROM THE DESK OF G 3 07/21 "PokerBook Info" Pokerbook Has Gone Public- Huge PR Campaign On I 4 07/21 "Dr George Tete" FROM THE DESK OF GEORGE TETE<<FROM THE DESK OF G /tmp/sample.1 not zero'd $ emerge info Portage 2.0.51_pre13 (default-x86-2004.0, gcc-3.4.1, glibc-2.3.4.20040619-r0, 2.6.7-gentoo-r11 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz) ================================================================= System uname: 2.6.7-gentoo-r11 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz Gentoo Base System version 1.5.1 ccache version 2.3 [disabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.14.90.0.8-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs cvs sandbox" GENTOO_MIRRORS="http://gentoo.oregonstate.edu" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.samerica.gentoo.org/gentoo-portage" USE="X acpi acpi4linux alsa apache2 apm autofs avi berkdb cdr cjk composite crypt cups directfb dnd dvd dvdr encode fam fbcon fbdev foomaticdb gdbm gif gnome gpm gstreamer gtk gtk2 guile imlib ipv6 java javascript jpeg kde libg++ libwww mad md5sum mikmod mmx motif mozilla mpeg mysql ncurses nls nptl oggvorbis oss pam pdflib perl png python qt quicktime readline samba sasl sdl slang spell sse ssl stroke svga tcltk tcpd truetype usb x86 xine xml xml2 xmms xosd xv xvid zlib" How interesting. Apparently you need to have a special line in .mh_profile I tried it with a virgin profile and did not have the problem. Adding the line had the problem reappear. Try this: echo "inc: -audit .FromList" >> ~/.mh_profile Let me know if you still cannot see the problem. Seth, bash-2.05b$ echo "inc: -audit .FromList" >> ~/.mh_profile bash-2.05b$ cat ~/.mh_profile Path: Mail inc: -audit .FromList bash-2.05b$ inc -file /tmp/sample.1 Incorporating new mail into inbox... 9+ 07/20 "Bounced mail" Returned mail: Data format error<<This is a mult 10 07/21 "Dr George Tete" FROM THE DESK OF GEORGE TETE<<FROM THE DESK OF G 11 07/21 "PokerBook Info" Pokerbook Has Gone Public- Huge PR Campaign On I 12 07/21 "Dr George Tete" FROM THE DESK OF GEORGE TETE<<FROM THE DESK OF G /tmp/sample.1 not zero'd Wierd. I went two other systems, one was a RedHat 7.x (no, I don't control it) running nmh 1.0.4 plus a different gentoo system and replicated the problem on both. Here is the other gentoo system which I was able to replicate the problem. Gentoo Base System version 1.4.16 Portage 2.0.50-r9 (default-x86-1.4, gcc-3.3.3, glibc-2.3.3.20040420-r0, 2.4.26-gentoo-r3) ================================================================= System uname: 2.4.26-gentoo-r3 i686 AMD Athlon(TM) XP 1800+ Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon-xp -O2 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.mirrors.pair.com/ ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://mirror.datapipe.net/gentoo http://mirrors.tds.net/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.mirrored.ca/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="X aalib alsa apm arts avi berkdb cdr crypt cups encode esd foomaticdb gdbm gif gnome gpm gtk gtk2 imlib java jpeg kde libg++ libwww mad mikmod motif mozilla mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png postgres python qt quicktime readline sdl slang spell ssl svga tcltk tcpd tetex truetype x86 xml2 xmms xv zlib" OK. I tracked down the probable reason why you are not getting the coredump. I ran my test on yet *another* gentoo system and failed once more to get the crash. My investigation showed that the cause is that a stat of a newly created file on that system obtained a st_blksize of 131072 I was quite pleased to have the compile a debugging version of glibc in order to track down how this was getting set :-( oldimap root> stat /home/xxxx/Mail/inbox/9 File: `/home/xxxx/Mail/inbox/9' Size: 0 Blocks: 0 IO Block: 131072 regular empty file Device: 803h/2051d Inode: 395584 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 500/ UNKNOWN) Access: 2004-07-26 18:58:24.373566456 -0400 Modify: 2004-07-26 18:58:24.373566456 -0400 Change: 2004-07-26 18:58:24.373566456 -0400 Whereas on the system which exhibited the coredump, the blocksize is 4K: not root> stat /home/xxxx/Mail/inbox/1 File: `/home/xxxx/Mail/inbox/1' Size: 53175 Blocks: 104 IO Block: 4096 regular file Device: 308h/776d Inode: 137573 Links: 1 Access: (0600/-rw-------) Uid: ( 512/ xxxx) Gid: ( 100/ users) Access: 2004-07-26 18:31:31.000000000 -0400 Modify: 2004-07-26 18:31:31.000000000 -0400 Change: 2004-07-26 18:31:31.000000000 -0400 This changing block size appears to be a "feature" of reiserfs as described in http://lwn.net/Articles/23001/ Thus you should be able to remount some filesystem to test this different blocksize. # This code should considerably speedup file appends in reiserfs, # given that callers would do than in large chunks. In order # to iincerease amount of applications that will do I/O in large # chunks, the "recommended i/o size" st_blksize field in result # returned by stat() is set to 128k. # There are some known-bad applications that break in this case # (ie. start to work very slow or even hang), particularly # kmail 3.04 (and earlier?) (consider upgrading to 3.1+) and # Berkeley DB seems to be at fault. # If you hit a slowdown problem that you believe is related to # increased "recommended i/o size", try to mount your fs with # nolargeio=1 mount option (remount should work too). # Of course in general you should better fix broken apps, not # disable this useful enchancement. For the record, these differences (-auditfile, st_blksize) almost certainly just adjust where the coredump would happen, and do not eliminate it. Also, inspection of the function in question should quickly convince you that it is indeed broken. I can reproduce this bug on an ext3 partition. Revision bump to nmh-1.0.4-r3 and stable on x86. Thanks. Sparc : please mark nmh-1.0.4-r3 stable x86 & sparc stable after langthang's fix of the missing vi sandbox violation. security: we need to determine if it is exploitable, and if we should issue a GLSA for it. I note that the data being overflowed can only consist of one character. Probably just "\n" for traditional unix style mailboxen, or ^A for MMDF style mailboxen. This would seemingly reduce the possibilities of an exploit, but I certainly will not guarentee anything--I have not studied all of the users of matchc() or tried to guess what might be near the buffer in memory. Can't reproduce here: > inc -file sample.1 Create folder "/home/plasmaroo/Mail/inbox"? y Incorporating new mail into inbox... 1+ 07/20 "Bounced mail" Returned mail: Data format error<<This is a multi-part message in MIME format. ------=_N 2 07/21 "Dr George Tete" FROM THE DESK OF GEORGE TETE<<FROM THE DESK OF GEORGE TETE BILL AND EXCHANGE MANAGER, AF 3 07/21 "PokerBook Info" Pokerbook Has Gone Public- Huge PR Campaign On Its Way<<This is a multi-part message in 4 07/21 "Dr George Tete" FROM THE DESK OF GEORGE TETE<<FROM THE DESK OF GEORGE TETE BILL AND EXCHANGE MANAGER, A /home/plasmaroo/sample.1 not zero'd > stat Mail/inbox/4 File: `Mail/inbox/4' Size: 4135 Blocks: 16 IO Block: 4096 regular file Device: 901h/2305d Inode: 195507 Links: 1 Access: (0600/-rw-------) Uid: ( 1000/plasmaroo) Gid: ( 10/ wheel) Access: 2004-08-08 16:06:16.784586584 +0100 Modify: 2004-08-08 16:06:16.784586584 +0100 Change: 2004-08-08 16:06:16.784586584 +0100 > Can't reproduce here: > > inc -file sample.1 > Create folder "/home/plasmaroo/Mail/inbox"? y > Incorporating new mail into inbox... Hmm. I assume that you are using the older MH stuff. Did you have the -audit flag set? I believe you can put it on the command line as an alternate to the .mh_profile entry. echo "inc: -audit .FromList" >> ~/.mh_profile Closing withoug GLSA. Seems unlikely that this can be exploited. Feel free to reopen and provide information for a GLSA. |