Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 36886 - Patch for MIME-tools
Summary: Patch for MIME-tools
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Perl team
Depends on:
Blocks: 27861
  Show dependency tree
Reported: 2003-12-31 06:35 UTC by Brett Simpson
Modified: 2011-10-30 22:38 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

patch-roaring-pengiun (patch-roaring-pengiun,11.84 KB, patch)
2003-12-31 06:37 UTC, Brett Simpson
no flags Details | Diff
patch-roaring-pengiun (patch-roaring-pengiun,9.08 KB, patch)
2004-01-08 12:05 UTC, Brett Simpson
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brett Simpson 2003-12-31 06:35:30 UTC
This patch will correct MIME security problems as referenced here
Comment 1 Brett Simpson 2003-12-31 06:37:45 UTC
Created attachment 22911 [details, diff]

--- /usr/portage/dev-perl/MIME-tools/MIME-tools-5.411a-r2.ebuild       
2003-06-21 17:36:36.000000000 -0400
+++ /usr/local/portage/dev-perl/MIME-tools/MIME-tools-5.411a-r4.ebuild 
2003-12-31 09:25:18.000000000 -0500
@@ -24,3 +24,10 @@
+	src_unpack() {
+	unpack ${A} || die
+	cd ${S}
+	epatch ${FILESDIR}/patch-roaring-pengiun
+	}
Comment 2 solar (RETIRED) gentoo-dev 2004-01-07 16:41:10 UTC
This is a dirty patch! I do not like it as is.
Reason: indentation seem to be changed for no good reason.

dev-perl team please review or keep us posted on when an upstream version is available.
Comment 3 Brett Simpson 2004-01-08 12:05:43 UTC
Created attachment 23406 [details, diff]

Sorry for submitting a dirty patch. I have cleaned it up, did an emerge test,
and tested it against MimeDefang.
Comment 4 solar (RETIRED) gentoo-dev 2004-01-08 12:53:11 UTC
Thank you. 
I'll try to round up one of our perl devs and get them to comment/review/merege.
Comment 5 Robert Coie (RETIRED) gentoo-dev 2004-01-08 13:48:39 UTC
This is a pretty large patch, and I can't be certain that it won't cause problems
for other uses of MIME-tools.  From looking at the securityfocus link, it may
be the case that when MIME-tools is used for virus scanning purposes, some spliced
up virus might evade the scanner and affect other computers later, I don't see a
situation where the security of the Gentoo machine is affected in any way, so I
wouldn't consider this a gentoo security bug.  I would prefer to wait until these
patches are adopted upstream before applying them in Gentoo.
Comment 6 Robert Coie (RETIRED) gentoo-dev 2004-01-08 13:49:20 UTC
Marking LATER until decision made upstream.
Comment 7 Brett Simpson 2004-01-08 13:59:41 UTC
The security bug is when an malformed mime attachment that only outlook understandards is sent via an email. When Mimedefang or other programs try to look at the attachment with MIME-tools it comes back as malformed and passes it on. When Outlook opens the email it process's the attachment. Which in this case the attachment could be a virus.
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2004-01-08 14:06:39 UTC
Why hasn't this been reported on
Comment 9 David F. Skoll 2004-01-08 18:13:55 UTC
I am the author of the patch.  It's designed to make MIME-tools cope more "sensibly" with common types of malformed messages, where "sensibly" means to behave in such a way as to offer maximum protection for programs that make the "obvious" interpretation of malformed MIME.

The patch does not break any of the MIME::tools regression tests, and in over a year of widespread use, I haven't heard of any problems from this patch.
Comment 10 David F. Skoll 2004-01-08 18:19:01 UTC
In response to Michael Cummings: "Why hasn't this been reported on"

I e-mailed the patch directly to the MIME-tools author.  He did not apply it, nor did he even respond.  He applied very similar changes to MIME-tools-6alpha, but for some reason is not backporting the patch to the stable 5.411a release.
Comment 11 Michael Cummings (RETIRED) gentoo-dev 2005-07-18 03:17:53 UTC
(Cleaning up my resolve laters) - this patch went into the upstream version
after the release in question here