Bugzilla – Bug 49369
VUL-0: CVE-2004-0105: metamail: format-string bug and buffer overflow
Last modified: 2021-09-30 15:18:50 UTC
Hello Werner, the following was posted privately on vendor-sec. Can you prepare the updates please.
<!-- SBZ_reproduce --> Date: Sat, 7 Feb 2004 19:56:03 +0100 From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se> To: vendor-sec@lst.de Subject: [vendor-sec] metamail format string bugs and buffer overflows Parts/Attachments: 1 Shown ~48 lines Text 2 1.3 KB Application ---------------------------------------- Hello, I have found two format string bugs and two buffer overflows in metamail. The affected versions are at least 2.7, 2.6, 2.5 and 2.4. It should be noted that there are several newsreaders (tin), mailreaders (elm) and antivirus programs (antimime, older versions of AMaViS) that pass MIME messages from the network directly to metamail, without asking the user first. The first format string bug occurs when a message has a multipart/alternative MIME type, and one of the body parts has a "Content-Type" header with parameter names or values containing formatting codes. It occurs because of two bad fprintf() statements in the function SaveSquirrelFile() - yes, it's really called that - in metamail.c. The file "testmail1" gives an example of this problem. The second format string bug occurs when a message has encoded local characters in the mail headers (as described in RFC 2047), an unknown encoding, and encoded text containing formatting codes. It is caused by a bad printf() statement in the function PrintHeader() in metamail.c. An example of this problem can be found in the file "testmail2". The first buffer overflow occurs when a message has encoded local characters in the mail headers and the part that names a character set is overly long. The root of this problem is a bad strcpy() statement in the function PrintHeader() in metamail.c. An example of this can be found in the file "testmail3". The second buffer overflow doesn't occur in the metamail executable, but in the splitmail executable that's generated when you compile the metamail package. This overflow occurs when a message has an overly long Subject header. It is caused by a bad strcpy() statement in the function ShareThisHeader() in splitmail.c. An example can be found in the "testmail4.splitmail" file. I have attached the four test messages mentioned above, as well as a patch that corrects all four issues. This patch is diff'ed against version 2.7 from Bellcore, even though almost everyone seems to use a version with various other patches by some vendor. I hope to be able to co-operate with the vendor-sec subscribers in solving this problem. // Ulf Harnhammar ulf.harnhammar.9485@student.uu.se [ Part 2, Application/GZIP 1.7KB. ] [ Not Shown. Use the "V" command to view or save this part. ]
Created attachment 15913 [details] patchinfo-box.metamail
Created attachment 15914 [details] patchinfo-box.metamail
Created attachment 15915 [details] metamail.vendor-sec.tar.gz
Now part of STABLE
Please explain patchinfo within attachment 7914 of comment #3 ... AFAIK we do not have any product baased on 7.x anymore ... do we?
Thanks. Are older versions affected too. If so, we need security-updates for them too.
I am not sure about the patchinfo. AFAICR there is some SLES7 we support, but I am not sure. Who can be asked? Ihno?
For #7: Work in progress (mbuilds running) For #8: Addd Ihno to CC
done for 8.0,8.1,8.2,9.0
HI, I asked Harald. All SLES7 and all Firewall products (SLES7-based) are still maintained.
try is_maintained metamail If it isn't in your $PATH, you may use: /work/src/bin/tools/is_maintained For SUSE Linux you may use: is_maintained -b metamail (-b like BOX)
OK, done for SLES7 which includes all other SLES7 based products.
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Thu Feb 12 18:06:10 2004
reopened reassigned for tracking
release: 18.02.2004
CAN-2004-0104 Metamail format strings CAN-2004-0105 Metamail buffer overflows
Hello Werner, the fix has a failure. :( Date: Mon, 1 Mar 2004 15:59:35 -0600 From: Jacques A. Vidrine <nectar@FreeBSD.org> To: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] metamail format string bugs and buffer overflows [ The following text is in the "unknown-8bit" character set. ] [ Your display is set for the "iso-8859-1" character set. ] [ Some characters may be displayed incorrectly. ] On Sat, Feb 07, 2004 at 07:56:03PM +0100, Ulf Härnhammar wrote: > I have attached the four test messages mentioned above, as well > as a patch that corrects all four issues. This patch is diff'ed > against version 2.7 from Bellcore, even though almost everyone > seems to use a version with various other patches by some vendor. Thanks, Ulf! It appears that the patch to splitmail.c may be incorrect: --- splitmail.c.old 1994-01-31 23:23:14.000000000 +0100 +++ splitmail.c2004-02-07 17:35:26.000000000 +0100 @@ -361,7 +361,8 @@ } if (!ULstrcmp(s, "subject")) { *colon = ':'; - strcpy(SubjectBuf, ++colon); + strncpy(SubjectBuf, ++colon, sizeof(SubjectBuf)); + SubjectBuf[sizeof(SubjectBuf) - 1] = '\0'; return(0); } if (!ULstrcmp(s, "content-type")) { `SubjectBuf' is an argument of type `char *', so `sizeof(SubjectBuf)' is not correct. <naddy@FreeBSD.org> noticed this only after I committed the patches to our ports collection. I didn't review carefully enough, no cookie for me. http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/metamail/files/patch-ae Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
I rejected the current update packages. Can you please provide new ones. Thank you!
done: werner/metamail> mkdir /work/src/done/9.0/metamail werner/metamail> cp 9.0/* -p /work/src/done/9.0/metamail/ werner/metamail> mkdir /work/src/done/8.2/metamail werner/metamail> cp 8.2/* -p /work/src/done/8.2/metamail/ werner/metamail> mkdir /work/src/done/8.1/metamail werner/metamail> cp 8.1/* -p /work/src/done/8.1/metamail werner/metamail> mkdir /work/src/done/8.0/metamail werner/metamail> cp 8.0/* -p /work/src/done/8.0/metamail werner/metamail> more /work/src/done/SLES7/README werner/metamail> mkdir /work/src/done/SLES7/metamail/ werner/metamail> cp 7.2/* -p /work/src/done/SLES7/metamail/ I've also put the patchinfos at /work/src/done/PATCHINFO
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Wed Mar 3 17:18:21 2004
Thanks! Reopened and reassigned for tracking.
Hi Werner, metamail ist notfixed. thomas@bragg:~> cat /work/src/done/SLES7-PPC/metamail.note This version does not base on SLES7-ppc, fixes are missing. thomas@bragg:~>
Werner?
Just a time issue
mbuild is running
FIXED, see/work/src/done/SLES7-PPC/metamail
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Wed Mar 17 14:10:31 2004
Thanks a lot Werner. Reassigned for tracking.
packages approved
CVE-2004-0105: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)