[Bug 290901] Re: [SRU] for broken header parser
** Changed in: dovecot (Ubuntu) Status: In Progress = Fix Released -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
Debdiff available at: http://launchpadlibrarian.net/19445106/dovecot_1%3A1.1.4-0ubuntu1_1%3A1.1.4-0ubuntu1.1.diff.gz -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
Removed from -proposed on Kees' request: 2008-11-07 16:07:52 INFORemoving candidates: 2008-11-07 16:07:52 INFOdovecot 1:1.1.4-0ubuntu1.1 in intrepid 2008-11-07 16:07:52 INFOdovecot-common 1:1.1.4-0ubuntu1.1 in intrepid lpia 2008-11-07 16:07:52 INFOdovecot-dev 1:1.1.4-0ubuntu1.1 in intrepid lpia 2008-11-07 16:07:52 INFOdovecot-imapd 1:1.1.4-0ubuntu1.1 in intrepid lpia 2008-11-07 16:07:52 INFOdovecot-pop3d 1:1.1.4-0ubuntu1.1 in intrepid lpia 2008-11-07 16:07:52 INFORemoved-by: Martin Pitt 2008-11-07 16:07:52 INFOComment: handled as security update 2008-11-07 16:07:52 INFO5 packages successfully removed. Security team, please reupload through -security. ** Changed in: dovecot (Ubuntu Intrepid) Status: Fix Committed = In Progress -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
** Changed in: dovecot (Ubuntu) Assignee: (unassigned) = Mathias Gug (mathiaz) Status: New = In Progress -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-4907 -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
This has been published: http://www.ubuntu.com/usn/USN-666-1 ** Changed in: dovecot (Ubuntu Intrepid) Status: In Progress = Fix Released -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 290901] Re: [SRU] for broken header parser
I've attached a python script that triggers the problem. ** Summary changed: - Update to 1.1.6 - important fix for broken header parser + [SRU] for broken header parser ** Description changed: Dovecot 1.1.6 has just be released fixing an important bug: The invalid message address parsing bug is pretty important since it allows a remote user to send broken mail headers and prevent the recipient from accessing the mailbox afterwards, because the process will always just crash trying to parse the header. This is assuming that the IMAP client uses FETCH ENVELOPE command, not all do. Note that it doesn't affect versions older than v1.1.4. + dovecot -n and -a now prints some system information at the top. + More error/debug message logging improvements. - pop3-login: Fixed assert-crash if a client sent USER+PASS+USER+PASS commands in the same IP packet. - Parsing an invalid message address like From: ( caused an assert-crash in v1.1.4 and v1.1.5. - Folding whitespace wasn't handled correctly inside quoted-strings, causing some messages to be parsed incorrectly. - mbox: Fixed saving messages that begin with a valid From_-line. Only intrepid is affected. + + SRU Process + + + Impact + - + As stated in the release notes: + + allows a remote user to send broken mail headers and prevent the + recipient from accessing the mailbox afterwards, because the process + will always just crash trying to parse the header. This is assuming that + the IMAP client uses FETCH ENVELOPE command, not all do. + + Patch + + + One line patch taken from the upstream repository: + http://hg.dovecot.org/dovecot-1.1/raw-rev/48840b2d4b18 + + --- a/src/lib-mail/message-address.c Thu Oct 23 18:58:22 2008 +0300 + +++ b/src/lib-mail/message-address.c Fri Oct 24 01:56:13 2008 +0300 + @@ -314,8 +314,7 @@ message_address_parse_real(pool_t pool, + ctx.str = t_str_new(128); + ctx.fill_missing = fill_missing; + + - ret = rfc822_skip_lwsp(ctx.parser); + - if (ret == 0) { + + if (rfc822_skip_lwsp(ctx.parser) = 0) { + /* no addresses */ + return NULL; + } + + How-to reproduce the bug + - + Send an email with a From header starting with a ( and that doesn't have a ). Issue a FETCH ENVELOPE command. + Expected result: + Headers containing the envolope of the message. + Actual result: + The imap server closes the connection. There is an assertion failure in the log on the server. + + The qa-regression-testing dovecot script has been updated with a test case to cover this bug: + http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/228 ** Attachment added: test_imap.py http://launchpadlibrarian.net/19444857/test_imap.py ** Changed in: dovecot (Ubuntu Intrepid) Assignee: (unassigned) = Mathias Gug (mathiaz) Status: New = Fix Committed -- [SRU] for broken header parser https://bugs.launchpad.net/bugs/290901 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs