Bug 72801 (CVE-2005-0667)

Summary:	VUL-0: CVE-2005-0667: "buffer overflow" in sylpheed
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Masaji Takeyama <takezou040728>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P5 - None	CC:	didge, mls, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	SuSE Pro 9.2
Whiteboard:	CVE-2005-0667: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	sylpheed-claws-0.9.12-mimedecoding-sec.diff sylpheed-claws-0.9.12-mimedecoding-sec.diff sylpheed-claws-0.9.12-mimedecoding-sec.diff sylpheed-claws-0.9.12-mimedecoding-sec2.diff sylpheed-0.9.4claws-mimedecoding-sec.diff sylpheed-0.8.10claws-mimedecoding-sec.diff sylpheed-claws-0.9.10-mimedecoding-sec.diff patch for the missing hunks to unmime.{c,h}, codeconv.c

Description Masaji Takeyama 2005-03-15 10:45:43 UTC

The weakness was discovered by the version of 1.0.2 or less of sylpheed. 
# Fix in 1.0.3(Stable version) of sylpheed. 

It is strongly recommended to make it to 1.0.3 or more. 

Please refer to following URL:
http://sylpheed.good-day.net/index.cgi.en


I think that the same weakness exists though I checked
sylpheed-claws-0.9.12-3.1.src.rpm(SUSE 9.2). 
# I think that SUSE9.1, SUSE9.0, SUSE8.2, and SUSE8.1 are influenced.

Comment 1 Marcus Meissner 2005-03-15 13:13:44 UTC

*** Bug 72803 has been marked as a duplicate of this bug. ***

Comment 2 Masaji Takeyama 2005-03-16 09:44:57 UTC

Sorry, it's my fault.
When I push the button of reload on a webbrowser, it has been doubly made.

Comment 3 Masaji Takeyama 2005-03-16 10:02:08 UTC

This weakness exists in the following files. (sylpheed-claws-0.9.12-3.1.src.rpm)
# src/codeconv.c, src/codeconv.h, src/compose.c, src/procmime.c

$ cd /usr/src/packages/BUILD/sylpheed-claws-0.9.12/src;
$ grep conv_unmime_header_overwrite *;

codeconv.c:void conv_unmime_header_overwrite(gchar *str)

codeconv.h:void conv_unmime_header_overwrite    (gchar          *str);

compose.c:              conv_unmime_header_overwrite(hentry[H_REPLY_TO].body);
compose.c:              conv_unmime_header_overwrite(hentry[H_CC].body);
compose.c:                      conv_unmime_header_overwrite(hentry[H_BCC].body);
compose.c:              conv_unmime_header_overwrite(hentry[H_NEWSGROUPS].body);
compose.c:              conv_unmime_header_overwrite(hentry[H_FOLLOWUP_TO].body);

procmime.c:             conv_unmime_header_overwrite(hentry[0].body);
procmime.c:             conv_unmime_header_overwrite(hentry[2].body);
procmime.c:             conv_unmime_header_overwrite(hentry[4].body);
procmime.c:                            
conv_unmime_header_overwrite(hentry[0].body);
procmime.c:                            
conv_unmime_header_overwrite(hentry[2].body);
procmime.c:                            
conv_unmime_header_overwrite(hentry[4].body);


P.S.
The conv_unmime_header_overwrite() is not used in sylpheed-claws-1.0.3(source 
code). 
# fixed in sylpheed-claws-1.0.3

Comment 4 Ludwig Nussel 2005-03-18 12:34:25 UTC

Jens please respond. This is a serious vulnerability. CAN-2005-0667

Comment 5 Ludwig Nussel 2005-03-22 09:07:06 UTC

Mads I'll reassign to you, we need someone to take care of that package.

Comment 6 Mads Martin Joergensen 2005-03-22 10:13:29 UTC

So, security-team. I'll do the update for 9.3, so we ship a fixed one.

But you have to help me with the updates for older dists.

Comment 7 Mads Martin Joergensen 2005-03-22 11:24:32 UTC

Ok, 1.0.3 is now in 9.3.

Comment 8 Thomas Biege 2005-03-22 11:25:37 UTC

I'll make the patches.

Comment 9 Mads Martin Joergensen 2005-03-22 11:28:31 UTC

Hendrik Norman Vogelsang will do the 8.2 -> 9.2 updates. At least there's
no SLES updates.

Comment 10 Thomas Biege 2005-03-23 08:51:19 UTC

> Do you have a testcase for me to trigger the bug? 
 
Put the following string to Reply-To: header of a message, and try to 
reply to it. 
 
=?ISO-8859-1?B?5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5 
+vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl?= 
 
It only occurs at the multi-byte locale encodings such as EUC-JP or 
UTF-8. So try with LANG=en_US.UTF-8 etc.

Comment 11 Thomas Biege 2005-03-23 10:46:14 UTC

Created attachment 32650 [details]
sylpheed-claws-0.9.12-mimedecoding-sec.diff

used this patch to test a 9.2 package as described above. sylpheed does not
crash.

Comment 12 Thomas Biege 2005-03-23 11:01:00 UTC

Uhm, messed up the testcase. Patch still does not fix the problem.

Comment 13 Thomas Biege 2005-03-23 11:01:27 UTC

mail -R 
"=?ISO-8859-1?B?5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl?=" 
-s "test" <test account>

Comment 14 Thomas Biege 2005-03-23 14:07:48 UTC

Created attachment 32677 [details]
sylpheed-claws-0.9.12-mimedecoding-sec.diff

this one looks better

Comment 15 Thomas Biege 2005-03-24 11:24:54 UTC

talked with the author. there seem to be other bugs (he released 1.0.4) but 
the 9.2 patch fixed them already. I'll verify this today. 
My 9.2 patch seems to remove the last char.. will check this too. 
 
Can we update sylpheed to 1.0.4 on 9.3?

Comment 16 Thomas Biege 2005-03-24 12:45:49 UTC

Created attachment 32741 [details]
sylpheed-claws-0.9.12-mimedecoding-sec.diff

this is the (stripped) official patch from the author.
difference:
- fix in procmime.c that seems useless (just copies one more byte)
- even copy limited amount of chars into outp of unmime_header() even if the
complete amount of chars do no fit

some patch code just is for newer version (like smtp.c)

open issue: verify procmime patches

Comment 17 Thomas Biege 2005-03-29 08:06:58 UTC

Better use the authors patch... it does take more care about converted 
chars. :)

Comment 18 Thomas Biege 2005-03-29 09:33:56 UTC

Testcase: 
- send mail 
        echo "reply to me" | mail -R 
        "=?ISO-8859-1?B?5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl 
5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl5vjl?=" 
        -s "test" <test account> 
 
- open shell 
        - do "export LANG=en_US.UTF-8" 
        - start sylpheed in shell 
        - receive this mail 
        - click "reply"

Comment 19 Hendrik Vogelsang 2005-03-30 10:46:07 UTC

please have a look at <= 9.0. the hunk for src/procmime.c fails. it is handled
different there.

Comment 20 Thomas Biege 2005-03-30 14:29:42 UTC

I will have a look tomorrow.

Comment 21 Thomas Biege 2005-03-31 07:48:28 UTC

Created attachment 32961 [details]
sylpheed-claws-0.9.12-mimedecoding-sec2.diff

merged diff for > 9.0

Comment 22 Thomas Biege 2005-03-31 08:51:47 UTC

Created attachment 32965 [details]
sylpheed-0.9.4claws-mimedecoding-sec.diff

untested

Comment 23 Thomas Biege 2005-03-31 09:25:37 UTC

Created attachment 32969 [details]
sylpheed-0.8.10claws-mimedecoding-sec.diff

untested

Comment 24 Hendrik Vogelsang 2005-03-31 13:26:33 UTC

sorry in 9.1 procmime.c is also totally different.

Comment 25 Thomas Biege 2005-03-31 14:35:49 UTC

Created attachment 32979 [details]
sylpheed-claws-0.9.10-mimedecoding-sec.diff

untested

Comment 26 Hendrik Vogelsang 2005-04-04 13:11:54 UTC

submitted

Comment 27 Thomas Biege 2005-04-04 14:48:54 UTC

thx

Comment 28 Thomas Biege 2005-04-04 14:54:49 UTC

 SM-Tracker-813

Comment 29 Thomas Biege 2005-04-04 15:05:16 UTC

swamp id canceled b/c of box-only package

Comment 30 Thomas Biege 2005-04-04 15:05:58 UTC

sylpheed.patch.box 
sylpheed-claws.patch.box

Comment 31 Marcus Meissner 2005-04-04 15:15:05 UTC

note that box patchinfos need valid running swampids too. i have reinstated 
the old one.

Comment 32 Michael Schröder 2005-04-07 16:17:17 UTC

We still need packages for SL9.3...

Comment 33 Hendrik Vogelsang 2005-04-08 09:03:40 UTC

erm no. see comment #9

mmj you did update 9.3 or?

Comment 34 Marcus Meissner 2005-04-08 09:05:56 UTC

only partially up to 1.0.3 ... more fixes were added after that...

Comment 35 Mads Martin Joergensen 2005-04-08 09:06:55 UTC

Yes, I updatged it to 1.0.3, but didn't add any subsequent things. It got
in after RC1

Comment 36 Mads Martin Joergensen 2005-04-08 09:14:48 UTC

This is not even my package. I only did that update to help out--I don't want
to get stuck with this shit now.

Comment 37 Thomas Biege 2005-04-08 12:12:28 UTC

Reassigned to Hendrik.

Comment 38 Ludwig Nussel 2005-04-08 13:05:08 UTC

The actual maintainer obviously doesn't care. If noone else wants to take 
sylpheed we should drop it so we finally get rid of it in two years.

Comment 39 Hendrik Vogelsang 2005-04-08 14:53:41 UTC

hm did anyone ask the maintainer? i dont see him included here...

Comment 40 Hendrik Vogelsang 2005-04-08 16:09:53 UTC

Created attachment 33475 [details]
patch for the missing hunks to unmime.{c,h}, codeconv.c

Comment 41 Hendrik Vogelsang 2005-04-11 08:33:25 UTC

checked in

Comment 42 Marcus Meissner 2005-04-12 07:36:32 UTC

updated packages released, thanks!

Comment 43 Thomas Biege 2009-10-13 21:11:08 UTC

CVE-2005-0667: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)