Bug 50320 (CVE-2004-0153)

Summary: VUL-0: CVE-2004-0153: emil: buffer overflow and format-string bugs
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0153: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: emil-stuffs.zip
patchinfo-box.emil

Description Thomas Biege 2004-03-04 16:01:23 UTC 
Hello Andreas, 
the following was posted to us: 
Date: Wed,  3 Mar 2004 16:42:04 +0100 
From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se> 
To: team@security.debian.org 
Cc: steve@steve.org.uk, security@suse.de 
Subject: [security@suse.de] Emil buffer overflows and format string bugs 
Parts/Attachments: 
   1 Shown    ~32 lines  Text 
   2          3.6 KB     Application 
---------------------------------------- 
 
Here's another unpublished security vulnerability. 
 
 
Emil buffer overflows and format string bugs 
============================================ 
 
"Emil v2 is a filter for converting Internet Messages. It supports 
three basic formats: MIME, SUN Mailtool and plain old style RFC822." 
The usual setup is that sendmail or procmail pipe messages from 
the network to the program. Emil is vulnerable to some security 
problems in Debian stable, testing and unstable, as well as in SUSE 
Linux 9.0, 8.2 and possibly older versions of SUSE. 
 
testmail1 and run1.sh give an example of a buffer overflow that 
occurs when converting files with long filenames from MIME to 
uuencode. 
 
testmail2 and run2.sh show a buffer overflow that occurs when 
parsing uuencoded files with long filenames. 
 
testmail3 and run3.sh show a buffer overflow that occurs when 
converting SUN Mailtool files with long filenames to MIME. 
 
There are also some obscure format string bugs that's been fixed 
for completeness' sake. 
 
emil.patch corrects all issues above. It's diff'ed against the 
upstream version 2.1.0-beta9. 
 
 
// Ulf Harnhammar 
 
    [ Part 2, Application/OCTET-STREAM (Name: "emil-stuffs.zip")  4.9KB. ] 
    [ Cannot display this part. Press "V" then "S" to save in a file. ]
Comment 1 Thomas Biege 2004-03-04 16:01:23 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-03-04 16:02:23 UTC 
Created attachment 16351 [details]
emil-stuffs.zip
Comment 3 Thomas Biege 2004-03-04 16:06:40 UTC 
Note for me: 
Please use CAN-2004-0152 to refer to the buffer overflows, and 
CAN-2004-0153 to refer to the format string bugs.
Comment 4 Thomas Biege 2004-03-04 16:23:50 UTC 
Created attachment 16352 [details]
patchinfo-box.emil
Comment 5 Thomas Biege 2004-03-05 18:51:18 UTC 
CDR: 24th of March, 14:00 MET
Comment 6 Andreas Schwab 2004-03-05 22:00:12 UTC 
Submitted.
Comment 7 Thomas Biege 2004-03-15 19:15:10 UTC 
reassigned for tracking.
Comment 8 Thomas Biege 2004-03-24 20:04:48 UTC 
packages approved
Comment 9 Thomas Biege 2009-10-13 20:16:43 UTC 
CVE-2004-0153: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)