Package: maildrop
Version: 2.8.4-2
mailbot crashes on some malformed emails, trying to dereference a null
pointer:
$ printf 'From:0' | mailbot -A 'From: [email protected]' -t /dev/null -n
From: [email protected]
Precedence: junk
Auto-Submitted: auto-replied
Segmentation fault
$ sudo dmesg | tail -n1
[ 4423.786887] mailbot[931]: segfault at 8 ip 00000000f757bb06 sp
00000000ffe7f6f4 error 4 in libc-2.24.so[f74fd000+1b1000]
Backtrace:
#0 __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#1 0x5660cc78 in mksalutation_cb (salutation_template=salutation_template@entry=0x5661874a "%F writes:",
newsgroup=newsgroup@entry=0x56618f83 "", message_id=message_id@entry=0x56618f83 "", newsgroups=0x56618f83 "",
sender_addr=0x56618efa "(no address given)", sender_name=0x0, date=0x0, subject=0x56c22948 "", callback_func=0x5660c170
<mksal_count>, callback_arg=0xffe7f7e0) at rfc2045reply.c:133
#2 0x5660d6b5 in mksalutation (charset=<optimized out>, subject=0x0, date=0x0, sender_name=0x0, sender_addr=0x56618efa
"(no address given)", newsgroups=0x56618f83 "", message_id=0x56618f83 "", newsgroup=<optimized
out>, salutation_template=<optimized out>) at rfc2045reply.c:191
#3 mkreply (ri=ri@entry=0xffe81950) at rfc2045reply.c:1136
#4 0x5660f3c7 in rfc2045_makereply (ri=0xffe81950) at rfc2045reply.c:231
#5 0x5660854c in main (argc=<optimized out>, argv=<optimized out>) at
mailbot.c:1098
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages maildrop depends on:
ii courier-authlib 0.68.0-4
ii libc6 2.24-17
ii libcourier-unicode1 1.4-3+b1
ii libgcc1 1:7.2.0-8
ii libgdbm3 1.8.3-14
ii libpcre3 2:8.39-5
ii libstdc++6 7.2.0-8
--
Jakub Wilk
