Bug 8100
| Summary: | well-placed '\0' in mail text renders mailx unusable | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Jeff Trawick <trawick> |
| Component: | mailx | Assignee: | Florian La Roche <laroche> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-02-03 22:46:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 3719 has been marked as a duplicate of this bug. ****** Bug 6859 has been marked as a duplicate of this bug. *** I've applied your patch in mailx-8.1.1-10 |
The mail command (all versions, including what ships with RH 6.0 and RH 6.1) is vulnerable to a binary zero in the first byte of a line of a mail message. When compiled with -O2 it gets a segmentation violation. Of course this is a bogus mail message but some software generates it as I received SPAM recently that had '\0' in the magic place and was unable to use the mail command. When -O2 was not used at compilation, the segmentation violation did not occur. I have attached a diff below showing one possible fix. For this diff, fio.c.old is the version with all shipped patches applied from mailx-8.1.1-9.src.rpm. Basically, the fix is to guarantee that there is at least one non-'\0' character in a line read from the message. If there is not (i.e., the first char is '\0') two problems occur: 1) count is zero, so "linebuf[count - 1] = 0" overlays the local variable "FILE *mestmp", causing a subsequent write to that file to get a segmentation violation since mestmp is invalid (this seems to occur only with -O2) 2) the manipulation of the message requires that there is some text in each line; an empty stored line is treated as the end of all messages. [root@k5 mailx-8.1.1]# diff -C 4 fio.c.old fio.c *** fio.c.old Fri Dec 31 16:00:49 1999 --- fio.c Sat Jan 1 16:12:06 2000 *************** *** 99,113 **** } makemessage(mestmp); return; } count = strlen(linebuf); (void) fwrite(linebuf, sizeof *linebuf, count, otf); if (ferror(otf)) { perror("/tmp"); exit(1); } ! linebuf[count - 1] = 0; if (maybe && linebuf[0] == 'F' && ishead(linebuf)) { msgCount++; if (append(&this, mestmp)) { perror("temporary file"); --- 99,128 ---- } makemessage(mestmp); return; } + /* + * In case we read some non-text, make sure there is + * at least one char before '\0'. Otherwise, we'll + * blow up later. + */ + + if (linebuf[0] == '\0') + linebuf[0] = '.'; + count = strlen(linebuf); (void) fwrite(linebuf, sizeof *linebuf, count, otf); if (ferror(otf)) { perror("/tmp"); exit(1); } ! ! /* ! * zap '\n' at end of line if there is one; ! * there won't be one if line length is >= than LINESIZE; ! */ ! if (linebuf[count - 1] == '\n') ! linebuf[count - 1] = 0; if (maybe && linebuf[0] == 'F' && ishead(linebuf)){ msgCount++; if (append(&this, mestmp)) { perror("temporary file"); [root@k5 mailx-8.1.1]#