Bug 44025

Summary: elm buffer overflow on messages with long Message-ID header
Product: [Retired] Red Hat Linux Reporter: Need Real Name <devjoe>
Component: elmAssignee: Trond Eivind Glomsrxd <teg>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: jarno.huuskonen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-06-12 22:27:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
A spam mail I received with a long Message-ID string, with excess headers and body removed. none

Description Need Real Name 2001-06-09 12:33:22 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i586; Nav)

Description of problem:
Messages with a very long (probably non-compliant) Message-ID header cause
a buffer overflow in elm.  Part of this string overwrites the "date" field
in the message list with a longer string than normally appears there, which
causes the line to wrap and messes up the rest of this screen. I don't know
what other havoc it might cause.
I am attaching a pared-down version of one such message, with Received
fields and message body removed/replaced by placeholders.


How reproducible:
Always

Steps to Reproduce:
1. Save the attached file
2. Run elm -f filename
3. Look at the display.
	

Actual Results:  Message summary displays as:
     1   hnfR2-U3s.EG * June.Jamboree@pop. (21)   1st Streaming ShockWave
Casino
 !  


Expected Results:  The "hnfR2-U3s.EG" should have been "Jun 08". This also
prevents the line from wrapping.


Additional info:

Since it's a buffer overflow, it's a security issue. A message designed to
exploit the problem might be able to do all sorts of stuff. This message
might actually be intended to exploit a buffer overflow in handling the
Message-ID string on some mail-handling program, but does not appear to do
anything malicious when read in elm.
Comment 1 Need Real Name 2001-06-09 12:35:11 UTC 
Created attachment 20692 [details]
A spam mail I received with a long Message-ID string, with excess headers and body removed.
Comment 2 Trond Eivind Glomsrxd 2001-06-11 14:37:23 UTC 
Reproduced...
Comment 3 Trond Eivind Glomsrxd 2001-06-11 21:17:06 UTC 
There is a version with fixes at http://people.redhat.com/teg/elm/ - could you
give it a try?
Comment 4 Need Real Name 2001-06-12 22:27:12 UTC 
teg: that works.
Comment 5 Trond Eivind Glomsrxd 2001-07-17 20:18:26 UTC 
Released a couple of days ago.