Re: imap mailbox killer

2000-09-01 Thread Branden Robinson 
On Thu, Aug 31, 2000 at 10:35:40AM +0300, Juhapekka Tolvanen wrote:
 There might be bug in either Pine or IMAP(D) or both.

There is.  The license.  (See debian-legal.)

-- 
G. Branden Robinson |A committee is a life form with six or
Debian GNU/Linux|more legs and no brain.
[EMAIL PROTECTED]  |-- Robert Heinlein
http://www.debian.org/~branden/ |


pgpa5MGXJxBDM.pgp
Description: PGP signature

Re: imap mailbox killer

2000-08-31 Thread Juhapekka Tolvanen 
On Thu, 31 Aug 2000, +00:52:25 EEST (UTC +0300),
 Cristian Ionescu-Idbohrn [EMAIL PROTECTED] pressed these keys:

 Package: imap
 Version: 4.7c-1
 
 (Juhapekka Tolvanen's messages may be found on these mailing lists:
 debian-devel@lists.debian.org,debian-legal@lists.debian.org)
 
 Man, you got great headers on your messages!


Maybe the problem is caused by my X-Keywords-header, that serves as
spook line (Hello, NSA! :-) ). I shortened it.  Do you still have that
problem?

There might be bug in either Pine or IMAP(D) or both.

-- 
Juhapekka naula Tolvanen * * * U of Jyväskylä * * [EMAIL PROTECTED]
http://www.cc.jyu.fi/~juhtolv/index.html * STRAIGHT BUT NOT NARROW! 
-
so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything nine inch nails

Re: imap mailbox killer

2000-08-31 Thread Cristian Ionescu-Idbohrn 

Sorry I couldn't answer yout letters earlier. I had to repair my mailbox.
I also had to involve and help the system administrators to go through all
the IMAP mailboxes and filter out all the messages with suspect headers.

Looks better now, thanks.

I don't know much about the IMAP intrinsics, but here is the story of what
happend (comming from an uninitiated user ;-).

Looks like all boxes get an extra message inserted. It looks something
like this:

,-
| From MAILER-DAEMON  Wed Aug 30 09:54:25 2000
| Delivery-Date: Thu May 11 21:51:47 2000
| Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST)
| From: Mail System Internal Data [EMAIL PROTECTED]
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| X-IMAP: 0928135936 033614
| Status: RO
| X-Status:
| X-Keywords:
| X-UID: 2
|
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-

I don't know if it's the IMAP daemon or the pine client who is responsible
for this.

One (or several) of Juhapekka message header entries, probably this:

,-
| X-Keywords: 
=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
|  =?iso-8859-1?Q?vuori=2C_ryss=E4=2C_somali=2C_lesbo=2C_homo=2C_lesbian=2C?=
|  =?iso-8859-1?Q?_anarchism=2C_nazi=2C_communism=2C_CIA=2C_bomb=2C_nuclear?=
|  =?iso-8859-1?Q?=2C_Semtex=2C_satan=2C_traitor=2C_pedophile?=
`-

caused the daemon (or the client) screw up the magic. I ended up with a
magic message looking like this:

,-
| From MAILER-DAEMON Wed Aug 30 16:36:48 2000
| Date: 30 Aug 2000 16:36:48 +0200
| From: Mail System Internal Data [EMAIL PROTECTED]
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| Message-ID: [EMAIL PROTECTED]
| X-IMAP: 0967646162 000339 
=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
| Status: RO
|
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-

and a lot of NULL characters preceeding a few (5-6) of the messages in some
boxes.

Hope this helps to find the problem.
There's definitely a BUG lurking somewhere.

Cheers,
Cristian

On Thu, 31 Aug 2000, Juhapekka Tolvanen wrote:

 On Thu, 31 Aug 2000, +00:52:25 EEST (UTC +0300),
  Cristian Ionescu-Idbohrn [EMAIL PROTECTED] pressed these keys:
 
  Package: imap
  Version: 4.7c-1
  
  (Juhapekka Tolvanen's messages may be found on these mailing lists:
  debian-devel@lists.debian.org,debian-legal@lists.debian.org)
  
  Man, you got great headers on your messages!
 
 
 Maybe the problem is caused by my X-Keywords-header, that serves as
 spook line (Hello, NSA! :-) ). I shortened it.  Do you still have that
 problem?
 
 There might be bug in either Pine or IMAP(D) or both.

--
I respect faith, but doubt is what gets you an education. -- Wilson Mizner

Re: imap mailbox killer

2000-08-31 Thread Paul Slootman 
On Thu 31 Aug 2000, Cristian Ionescu-Idbohrn wrote:

 caused the daemon (or the client) screw up the magic. I ended up with a
 magic message looking like this:
 
 ,-
 | From MAILER-DAEMON Wed Aug 30 16:36:48 2000
 | Date: 30 Aug 2000 16:36:48 +0200
 | From: Mail System Internal Data [EMAIL PROTECTED]
 | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
 | Message-ID: [EMAIL PROTECTED]
 | X-IMAP: 0967646162 000339 
 =?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
 | Status: RO
 |
 | This text is part of the internal format of your mail folder, and is not
 | a real message.  It is created automatically by the mail system software.
 | If deleted, important folder data will be lost, and it will be re-created
 | with the data reset to initial values.
 `-
 
 and a lot of NULL characters preceeding a few (5-6) of the messages in some
 boxes.

Yuck. Smells like a serious buffer overflow somewhere.
This needs to be fixed fast.


Paul Slootman
-- 
home:   [EMAIL PROTECTED] http://www.wurtel.demon.nl/
work:   [EMAIL PROTECTED]   http://www.murphy.nl/
debian: [EMAIL PROTECTED]  http://www.debian.org/
isdn4linux: [EMAIL PROTECTED]   http://www.isdn4linux.de/

Re: imap mailbox killer

2000-08-31 Thread Paul Slootman 
Package: imap
Version: 4.7c-1
Severity: important

On Thu 31 Aug 2000, Paul Slootman wrote:

 Yuck. Smells like a serious buffer overflow somewhere.

Upon a quick glance, there indeed appears to be no checks at all
for buffer overflows. A buf of 8k is allocated into which the
From:, Status:, X-Status, and X-Keywords: headers are placed,
with simple 

sprintf (buf + strlen (buf),...

commands. So having extremely long X-Keywords in mail messages
will screw things up. Double yuck.

This is in imap-4.7c/src/osdep/unix/unix.c BTW.

See the original message and the accompanying thread in debian-devel,
archive/latest/67244 , Message-ID [EMAIL PROTECTED] from
Cristian Ionescu-Idbohrn [EMAIL PROTECTED]


Paul Slootman
-- 
home:   [EMAIL PROTECTED] http://www.wurtel.demon.nl/
work:   [EMAIL PROTECTED]   http://www.murphy.nl/
debian: [EMAIL PROTECTED]  http://www.debian.org/
isdn4linux: [EMAIL PROTECTED]   http://www.isdn4linux.de/

Re: imap mailbox killer

2000-08-31 Thread Buddha Buck 
 Package: imap
 Version: 4.7c-1
 Severity: important
 
 On Thu 31 Aug 2000, Paul Slootman wrote:
 
  Yuck. Smells like a serious buffer overflow somewhere.
 
 Upon a quick glance, there indeed appears to be no checks at all
 for buffer overflows. A buf of 8k is allocated into which the
 From:, Status:, X-Status, and X-Keywords: headers are placed,
 with simple 
 
   sprintf (buf + strlen (buf),...
 
 commands. So having extremely long X-Keywords in mail messages
 will screw things up. Double yuck.
 
 This is in imap-4.7c/src/osdep/unix/unix.c BTW.
 
 See the original message and the accompanying thread in debian-devel,
 archive/latest/67244 , Message-ID [EMAIL PROTECTED] from
 Cristian Ionescu-Idbohrn [EMAIL PROTECTED]

This definately needs to be passed upstream...  My mailbox was screwed 
up as well, and I get my mail from a Solaris box, not a Debian one.

 
 
 Paul Slootman
 -- 
 home:   [EMAIL PROTECTED] http://www.wurtel.demon.nl/
 work:   [EMAIL PROTECTED]   http://www.murphy.nl/
 debian: [EMAIL PROTECTED]  http://www.debian.org/
 isdn4linux: [EMAIL PROTECTED]   http://www.isdn4linux.de/
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 

-- 
 Buddha Buck [EMAIL PROTECTED]
Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacophony of the unfettered speech
the First Amendment protects.  -- A.L.A. v. U.S. Dept. of Justice

Re: imap mailbox killer

2000-08-31 Thread Jules Bean 
On Thu, Aug 31, 2000 at 07:32:17AM -0400, Buddha Buck wrote:
  commands. So having extremely long X-Keywords in mail messages
  will screw things up. Double yuck.
  
  This is in imap-4.7c/src/osdep/unix/unix.c BTW.
  
  See the original message and the accompanying thread in debian-devel,
  archive/latest/67244 , Message-ID [EMAIL PROTECTED] from
  Cristian Ionescu-Idbohrn [EMAIL PROTECTED]
 
 This definately needs to be passed upstream...  My mailbox was screwed 
 up as well, and I get my mail from a Solaris box, not a Debian one.

My mailbox didn't get screwed up (thank god..) but I did get some very
confused messages from Mutt. I though mutt was at fault, but evidently
it was imapd...

Jules

Re: imap mailbox killer

2000-08-31 Thread Buddha Buck 
At 08:21 AM 8/31/00 -0400, Richard A Nelson wrote:
On Thu, 31 Aug 2000, Juhapekka Tolvanen wrote:

 There might be bug in either Pine or IMAP(D) or both.
Both... I had to manually delete several messages in Pine 4.21 folders
and I don't use IMAP
I don't use pine or imap, but the school hosting my mailbox uses imap.
The behavior I saw:
Using POP to copy new mail to my workstation at work (running Eudora) 
seemed to cause ipop3d to crash without properly cleaning up -- $MAIL.lock 
still around, messages not marked as old, etc.  Telnetting in, and mucking 
around in $MAIL by hand revealed the messages preceeded by nulls.  Elm read 
the mailbox fine, but treated the messages preceeded by nulls as 
continuations of the previous messages.  Eudora, getting the messages from 
POP3, also read the messages fine, but again with the broken messages 
tacked on to the preceeding messages.  Manually deleting the nulls wasn't a 
reliable way to fix the problem.

My school uses imap, but I didn't -directly- invoke it in this process.  It 
may have been invoked by their mailer behind the scenes, though.

Re: imap mailbox killer

2000-08-31 Thread Jaldhar H. Vyas 
[Please Cc [EMAIL PROTECTED] on any replies to this thread.]

On Thu, 31 Aug 2000, Buddha Buck wrote:

 I don't use pine or imap, but the school hosting my mailbox uses imap.
 
 The behavior I saw:
 
 Using POP to copy new mail to my workstation at work (running Eudora) 
 seemed to cause ipop3d to crash without properly cleaning up -- $MAIL.lock 
 still around, messages not marked as old, etc.  Telnetting in, and mucking 
 around in $MAIL by hand revealed the messages preceeded by nulls.  Elm read 
 the mailbox fine, but treated the messages preceeded by nulls as 
 continuations of the previous messages.  Eudora, getting the messages from 
 POP3, also read the messages fine, but again with the broken messages 
 tacked on to the preceeding messages.  Manually deleting the nulls wasn't a 
 reliable way to fix the problem.
 

Thanks for the description, I found it very useful.


 My school uses imap, but I didn't -directly- invoke it in this process.  It 
 may have been invoked by their mailer behind the scenes, though.
 

Not necessarily.  However ipop3d and imapd both use the c-client library
for all the mail handling routines.  That's where the bug is so both would
have been affected.

-- 
Jaldhar H. Vyas [EMAIL PROTECTED]

Re: imap mailbox killer

2000-08-31 Thread Jaldhar H. Vyas 
[Please Cc [EMAIL PROTECTED] on any replies to this thread.]

On Thu, 31 Aug 2000, Richard A Nelson wrote:

  There might be bug in either Pine or IMAP(D) or both.
 
 Both... I had to manually delete several messages in Pine 4.21 folders
 and I don't use IMAP
 

Pine also uses libc-client which is where the bug is.

-- 
Jaldhar H. Vyas [EMAIL PROTECTED]

Re: imap mailbox killer

2000-08-31 Thread Cristian Ionescu-Idbohrn 

Funny side effect of the bug, here is the new magic message in my
mailbox :-)

Check out the X-IMAP: entry:

,-
| From MAILER-DAEMON Thu Aug 31 17:15:15 2000
| Date: 31 Aug 2000 17:15:15 +0200
| From: Mail System Internal Data [EMAIL PROTECTED]
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| Message-ID: [EMAIL PROTECTED]
| X-IMAP: 0967708347 84 lesbo, homo, lesbian, anarchism, nazi, 
communism,  CIA, bomb, nuclear, Semtex, satan, traitor, pedophile
| Status: RO
| 
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-

Cheers,
Cristian

--
I respect faith, but doubt is what gets you an education. -- Wilson Mizner

Re: imap mailbox killer

2000-08-31 Thread Jaldhar H. Vyas 
On Thu, 31 Aug 2000, Paul Slootman wrote:

 On Thu 31 Aug 2000, Paul Slootman wrote:
 
  Yuck. Smells like a serious buffer overflow somewhere.
 
 Upon a quick glance, there indeed appears to be no checks at all
 for buffer overflows. A buf of 8k is allocated into which the
 From:, Status:, X-Status, and X-Keywords: headers are placed,
 with simple 
 
   sprintf (buf + strlen (buf),...
 
 commands. So having extremely long X-Keywords in mail messages
 will screw things up. Double yuck.
 
 This is in imap-4.7c/src/osdep/unix/unix.c BTW.
 
 See the original message and the accompanying thread in debian-devel,
 archive/latest/67244 , Message-ID [EMAIL PROTECTED] from
 Cristian Ionescu-Idbohrn [EMAIL PROTECTED]
 

Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3).  This is
only the tip of the iceberg however.  There is a source code scanner
called its4 which checks for unsafe coding practices and I ran it on
imapd.  The report was about a mile long :(

Oddly enough I read that message and wasn't affected even though I use
pine 4.21 and imapd.

-- 
Jaldhar H. Vyas [EMAIL PROTECTED]

imap mailbox killer

2000-08-30 Thread Cristian Ionescu-Idbohrn 
Package: imap
Version: 4.7c-1

(Juhapekka Tolvanen's messages may be found on these mailing lists:
debian-devel@lists.debian.org,debian-legal@lists.debian.org)

Man, you got great headers on your messages!

I don't know if it was your intension, but you managed to totally screw
up
my inbox (no hard feelings)!

The IMAP daemon went crazy trying to make sense of that box and put it's
holy counts on the

  Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA.

Is this a security hole?

Anybody else suffering from it?

Cristian

--
I respect faith, but doubt is what gets you an education. -- Wilson
Mizner

Re: imap mailbox killer

2000-08-30 Thread Christopher C. Chimelis 

I had the same problem...I had to manually edit the messages after
reading them.

On Wed, 30 Aug 2000, Cristian Ionescu-Idbohrn wrote:

 Package: imap
 Version: 4.7c-1
 
 (Juhapekka Tolvanen's messages may be found on these mailing lists:
 debian-devel@lists.debian.org,debian-legal@lists.debian.org)
 
 Man, you got great headers on your messages!
 
 I don't know if it was your intension, but you managed to totally screw
 up
 my inbox (no hard feelings)!
 
 The IMAP daemon went crazy trying to make sense of that box and put it's
 holy counts on the
 
   Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA.
 
 Is this a security hole?
 
 Anybody else suffering from it?
 
 Cristian
 
 --
 I respect faith, but doubt is what gets you an education. -- Wilson
 Mizner
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]