reconstruct fails when some control characters are stored in a mail

Tue, 12 Jan 2016 06:13:33 -0800 

Hi all,

While analyzing some issue with the SOGo groupware, I also realized
reconstruct is behaving in a weird way. SOGo had problems with some mail
containing a vertical tab in the subject line, so I started messing
around with that line to create some minimal example for a bug report.

When I modified the mail on the server (for example, stripping the mail
to a reduced version with less meta data and content) and ran
reconstruct, the changed mail was correctly identified and the folder
was repaired:

$ reconstruct -r -R -f user.foo.TestControlCode
user.foo.TestControlCode uid 6 not found
user.foo.TestControlCode uid 7 found - adding
user.foo.TestControlCode

If I introduced some other characters (I tried the null byte and the EOT
control character), reconstruct does not realize those changes occured:

$ reconstruct -r -R -f user.foo.TestControlCode
user.foo.TestControlCode
$ echo $?
0

It did not crash, it did not return an error message, it just exited.
Sending such an e-mail through SMTP worked fine, so at least I was not
able to crash the IMAP server (or get any other undesired behavior) with
such a command. After changing the control character back to a vertical
tab and/or moving it to another location, the changes were recognized again.

I'm still not sure whether this could also affect other parts/tools,
maybe even stuff like quota calculation, and whether this might also
affect some control flows in a way that could be used to exploit/stall
the IMAP system.

We're running Cyrus IMAP 2.5.6 on Oracle Solaris 11; I guess that this
will also affect other systems. An example mail is included as an
attachment.

Kind regards from Lake Constance, Germany,
Jens Erat

-- 
Jens Erat
Universität Konstanz
Kommunikations-, Infomations-, Medienzentrum (KIM)
Abteilung Basisdienste
D-78457 Konstanz
Mail: jens.e...@uni-konstanz.de

Attachment: Subject with control character.eml
Description: application/extension-eml

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to