Bug 862578 (CVE-2012-4507)

Summary: CVE-2012-4507 [abrt] claws-mail-3.8.1-1.fc17: strchr: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: Jérôme Benoit <jerome.benoit>
Component: claws-mailAssignee: Andreas Bierfert <andreas.bierfert>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: andreas.bierfert, bugs.michael, henri
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:ede36842e171c1ad3b175c873dac67dcdc93b803
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-20 08:56:50 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
File: core_backtrace
File: environ
File: backtrace
File: limits
File: cgroup
File: maps
File: dso_list
File: build_ids
File: var_log_messages
File: open_fds
Message that trigger the crash (extract with csplit)
the patch only adds a NULL check none

Description Jérôme Benoit 2012-10-03 05:37:57 EDT
Description of problem:
A specific mail in the user mbox file cause claws-mail to crash reliabily. 

Version-Release number of selected component:

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        claws-mail
crash_function: strchr
kernel:         3.5.4-2.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 strchr at ../sysdeps/x86_64/strchr.S:33
: #1 parse_parameters at procmime.c:1756
: #2 procmime_parse_content_disposition at procmime.c:1842
: #3 procmime_parse_mimepart at procmime.c:1967
: #4 procmime_parse_multipart at procmime.c:1566
: #5 procmime_parse_mimepart at procmime.c:1994
: #6 procmime_parse_message_rfc822 at procmime.c:1393
: #7 procmime_scan_file_with_offset at procmime.c:2058
: #8 procmime_scan_file_full at procmime.c:2071
: #9 procmime_scan_file at procmime.c:2078
Comment 1 Jérôme Benoit 2012-10-03 05:38:00 EDT
Created attachment 620707 [details]
File: core_backtrace
Comment 2 Jérôme Benoit 2012-10-03 05:38:02 EDT
Created attachment 620708 [details]
File: environ
Comment 3 Jérôme Benoit 2012-10-03 05:38:05 EDT
Created attachment 620709 [details]
File: backtrace
Comment 4 Jérôme Benoit 2012-10-03 05:38:07 EDT
Created attachment 620710 [details]
File: limits
Comment 5 Jérôme Benoit 2012-10-03 05:38:09 EDT
Created attachment 620711 [details]
File: cgroup
Comment 6 Jérôme Benoit 2012-10-03 05:38:13 EDT
Created attachment 620712 [details]
File: maps
Comment 7 Jérôme Benoit 2012-10-03 05:38:15 EDT
Created attachment 620713 [details]
File: dso_list
Comment 8 Jérôme Benoit 2012-10-03 05:38:17 EDT
Created attachment 620714 [details]
File: build_ids
Comment 9 Jérôme Benoit 2012-10-03 05:38:19 EDT
Created attachment 620715 [details]
File: var_log_messages
Comment 10 Jérôme Benoit 2012-10-03 05:38:21 EDT
Created attachment 620716 [details]
File: open_fds
Comment 11 Jérôme Benoit 2012-10-03 05:46:17 EDT
Created attachment 620717 [details]
Message that trigger the crash (extract with csplit)

To reproduce: 

$ cat x0008 > /var/spool/mail/${HOME}

Get new messages from the user mbox file.
Comment 12 Michael Schwendt 2012-10-03 12:18:59 EDT
Can reproduce. That's a security issue, btw, assuming that the message makes it into a mailbox unmodified. I here only copied it into a local folder.

It's a NULL-ptr crash afaics.
Comment 13 Michael Schwendt 2012-10-03 12:20:14 EDT
Created attachment 621012 [details]
the patch only adds a NULL check

Comment 14 Jérôme Benoit 2012-10-03 15:52:08 EDT
It's indeed a security issue. The charset variable content should pass checks that will guarantee it will not overflow during the processing, before the delivery to MH folder(s). 

Thks Michael for having done the bug report upstream before I find time to do so.
Comment 15 Henri Salo 2012-10-09 07:48:59 EDT
Does this issue have CVE-identifier?
Comment 16 Michael Schwendt 2012-10-09 13:49:24 EDT
A CVE for a simple NULL-ptr dereference?
Comment 17 Jérôme Benoit 2012-10-09 13:50:59 EDT
No, I'm not familiar with the CVE declaration procedure. But this issue should indeed have a CVE-identifier.
Comment 18 Henri Salo 2012-10-09 13:56:51 EDT
Guide: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
Example good request to public mailing-list oss-security: http://seclists.org/oss-sec/2011/q4/3

Please email me in case you want me to request it.
Comment 19 Jérôme Benoit 2012-10-10 06:31:10 EDT
CVE-id allocated : CVE-2012-4507. 

More information here :

Comment 20 Michael Schwendt 2012-10-10 12:06:02 EDT
Thanks for volunteering!


Isn't it too extreme to track such a minor issue with a CVE id? There's only limited impact (and one can tell Claws Mail to not open/display a message automatically to prevent it from crashing). It's not much more dangerous compared with the user hitting an arbitrary other programming error in Claws Mail (or other applications) that crashes it suddenly. I would think differently if it were a vulnerability that could be exploited, e.g. as explained at http://cve.mitre.org/about/faqs.html#a2
Comment 21 Henri Salo 2012-10-10 13:31:32 EDT
A controllable null-pointer dereference is usually bad enough situation to get CVE-identifier as it breaks security boundary.

Can random person email and crash claws-mail? Does this need changing of default settings? Does this affect lot of users or only couple?

Since this is now assigned I don't think we should request reject for CVE-2012-4507 as this issue in my opinion (by reading this page. not testing code) goes to sector "security issue".

What I think we should do is:
1. Change priority and severity of this case accordingly
2. Add comment to changelog with CVE in the patch

Please contact me if you need help with this issue and I can try my best :)
Comment 22 Jérôme Benoit 2012-10-10 15:38:53 EDT
It affect all claws-mail users with no special configuration tunables set. 
It happen not only when you want to view a message, it can happen before the delivery to MH(s) folder when the email content processing code do something (and in a MUA, the content processing code can be invoked very often : viewing, filtering). 

Plus, NULL pointer dereference have some exploits pattern (hard one, but not impossible one).
Comment 23 Fedora Update System 2012-10-22 18:34:32 EDT
claws-mail-3.8.1-3.fc18 has been submitted as an update for Fedora 18.
Comment 24 Fedora Update System 2012-10-22 18:34:43 EDT
claws-mail-3.8.1-3.fc17 has been submitted as an update for Fedora 17.
Comment 25 Fedora Update System 2012-10-22 18:34:57 EDT
claws-mail-3.8.1-3.fc16 has been submitted as an update for Fedora 16.
Comment 26 Fedora Update System 2012-10-23 02:44:45 EDT
Package claws-mail-3.8.1-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing claws-mail-3.8.1-3.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).