Your message dated Tue, 3 Oct 2017 21:20:01 +0200 with message-id <[email protected]> has caused the report #877108, regarding maildrop: reformail: use-after-free in add_from_filter() to be marked as having been forwarded to the upstream software author(s) [email protected]
(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 877108: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877108 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Hi Sam &co., I'm forwarding a bug report from the Debian bug tracking system: On Thu, Sep 28, 2017 at 09:48:56PM +0200, Jakub Wilk wrote: > Package: maildrop > Version: 2.8.4-2 > > When you run "reformail -f1" against a message with malformed Errors-To > header, reformail uses memory that has been already freed: > > $ printf 'Errors-To:' | valgrind --quiet -- reformail -f1 > ==8668== Invalid read of size 1 > ==8668== at 0x10BEEA: add_from_filter() (reformail.C:186) > ==8668== by 0x10B575: ReadLineAddHeader() (reformail.C:523) > ==8668== by 0x10C417: ReadLine() (reformail.C:664) > ==8668== by 0x10C78B: copy(int, char**, int) (reformail.C:721) > ==8668== by 0x1093A2: main (reformail.C:1214) > ==8668== Address 0x4c3e121 is 9 bytes inside a block of size 512 free'd > ==8668== at 0x482FE78: operator delete[](void*) (in > /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) > ==8668== by 0x10BEE3: ~Buffer (buffer.h:25) > ==8668== by 0x10BEE3: add_from_filter() (reformail.C:188) > ==8668== by 0x10B575: ReadLineAddHeader() (reformail.C:523) > ==8668== by 0x10C417: ReadLine() (reformail.C:664) > ==8668== by 0x10C78B: copy(int, char**, int) (reformail.C:721) > ==8668== by 0x1093A2: main (reformail.C:1214) > ==8668== Block was alloc'd at > ==8668== at 0x482F00C: operator new[](unsigned int) (in > /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) > ==8668== by 0x10D6D4: Buffer::append(int) (buffer.C:15) > ==8668== by 0x10BCE5: push (buffer.h:41) > ==8668== by 0x10BCE5: add_from_filter() (reformail.C:195) > ==8668== by 0x10B575: ReadLineAddHeader() (reformail.C:523) > ==8668== by 0x10C417: ReadLine() (reformail.C:664) > ==8668== by 0x10C78B: copy(int, char**, int) (reformail.C:721) > ==8668== by 0x1093A2: main (reformail.C:1214) > ... > > > Found using American Fuzzy Lop: > http://lcamtuf.coredump.cx/afl/ > > -- System Information: > Architecture: i386 > > Versions of packages maildrop depends on: > ii courier-authlib 0.68.0-4 > ii libc6 2.24-17 > ii libcourier-unicode1 1.4-3+b1 > ii libgcc1 1:7.2.0-7 > ii libgdbm3 1.8.3-14 > ii libpcre3 2:8.39-5 > ii libstdc++6 7.2.0-7 > > -- > Jakub Wilk -- 2. That which causes joy or happiness.
--- End Message ---
