Bug 862578 (CVE-2012-4507)

Summary:

CVE-2012-4507 [abrt] claws-mail-3.8.1-1.fc17: strchr: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)

Product:

[Fedora] Fedora

Reporter:

Jérôme Benoit <jerome.benoit>

Component:

claws-mail

Assignee:

Andreas Bierfert <andreas.bierfert>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

andreas.bierfert, bugs.michael, henri

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

abrt_hash:ede36842e171c1ad3b175c873dac67dcdc93b803

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-11-20 13:56:50 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
File: core_backtrace	none
File: environ	none
File: backtrace	none
File: limits	none
File: cgroup	none
File: maps	none
File: dso_list	none
File: build_ids	none
File: var_log_messages	none
File: open_fds	none
Message that trigger the crash (extract with csplit)	none
the patch only adds a NULL check	none

Description Jérôme Benoit 2012-10-03 09:37:57 UTC

Description of problem:
A specific mail in the user mbox file cause claws-mail to crash reliabily. 

Version-Release number of selected component:
claws-mail-3.8.1-1.fc17

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        claws-mail
crash_function: strchr
kernel:         3.5.4-2.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 strchr at ../sysdeps/x86_64/strchr.S:33
: #1 parse_parameters at procmime.c:1756
: #2 procmime_parse_content_disposition at procmime.c:1842
: #3 procmime_parse_mimepart at procmime.c:1967
: #4 procmime_parse_multipart at procmime.c:1566
: #5 procmime_parse_mimepart at procmime.c:1994
: #6 procmime_parse_message_rfc822 at procmime.c:1393
: #7 procmime_scan_file_with_offset at procmime.c:2058
: #8 procmime_scan_file_full at procmime.c:2071
: #9 procmime_scan_file at procmime.c:2078

Comment 1 Jérôme Benoit 2012-10-03 09:38:00 UTC

Created attachment 620707 [details]
File: core_backtrace

Comment 2 Jérôme Benoit 2012-10-03 09:38:02 UTC

Created attachment 620708 [details]
File: environ

Comment 3 Jérôme Benoit 2012-10-03 09:38:05 UTC

Created attachment 620709 [details]
File: backtrace

Comment 4 Jérôme Benoit 2012-10-03 09:38:07 UTC

Created attachment 620710 [details]
File: limits

Comment 5 Jérôme Benoit 2012-10-03 09:38:09 UTC

Created attachment 620711 [details]
File: cgroup

Comment 6 Jérôme Benoit 2012-10-03 09:38:13 UTC

Created attachment 620712 [details]
File: maps

Comment 7 Jérôme Benoit 2012-10-03 09:38:15 UTC

Created attachment 620713 [details]
File: dso_list

Comment 8 Jérôme Benoit 2012-10-03 09:38:17 UTC

Created attachment 620714 [details]
File: build_ids

Comment 9 Jérôme Benoit 2012-10-03 09:38:19 UTC

Created attachment 620715 [details]
File: var_log_messages

Comment 10 Jérôme Benoit 2012-10-03 09:38:21 UTC

Created attachment 620716 [details]
File: open_fds

Comment 11 Jérôme Benoit 2012-10-03 09:46:17 UTC

Created attachment 620717 [details]
Message that trigger the crash (extract with csplit)

To reproduce: 

$ cat x0008 > /var/spool/mail/${HOME}

Get new messages from the user mbox file.

Comment 12 Michael Schwendt 2012-10-03 16:18:59 UTC

Can reproduce. That's a security issue, btw, assuming that the message makes it into a mailbox unmodified. I here only copied it into a local folder.

It's a NULL-ptr crash afaics.

Comment 13 Michael Schwendt 2012-10-03 16:20:14 UTC

Created attachment 621012 [details]
the patch only adds a NULL check

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743

Comment 14 Jérôme Benoit 2012-10-03 19:52:08 UTC

It's indeed a security issue. The charset variable content should pass checks that will guarantee it will not overflow during the processing, before the delivery to MH folder(s). 

Thks Michael for having done the bug report upstream before I find time to do so.

Comment 15 Henri Salo 2012-10-09 11:48:59 UTC

Does this issue have CVE-identifier?

Comment 16 Michael Schwendt 2012-10-09 17:49:24 UTC

A CVE for a simple NULL-ptr dereference?

Comment 17 Jérôme Benoit 2012-10-09 17:50:59 UTC

No, I'm not familiar with the CVE declaration procedure. But this issue should indeed have a CVE-identifier.

Comment 18 Henri Salo 2012-10-09 17:56:51 UTC

Guide: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
Example good request to public mailing-list oss-security: http://seclists.org/oss-sec/2011/q4/3

Please email me in case you want me to request it.

Comment 19 Jérôme Benoit 2012-10-10 10:31:10 UTC

CVE-id allocated : CVE-2012-4507. 

More information here :

http://seclists.org/oss-sec/2012/q4/41
http://seclists.org/oss-sec/2012/q4/45

Comment 20 Michael Schwendt 2012-10-10 16:06:02 UTC

Thanks for volunteering!

[...]

Isn't it too extreme to track such a minor issue with a CVE id? There's only limited impact (and one can tell Claws Mail to not open/display a message automatically to prevent it from crashing). It's not much more dangerous compared with the user hitting an arbitrary other programming error in Claws Mail (or other applications) that crashes it suddenly. I would think differently if it were a vulnerability that could be exploited, e.g. as explained at http://cve.mitre.org/about/faqs.html#a2

Comment 21 Henri Salo 2012-10-10 17:31:32 UTC

A controllable null-pointer dereference is usually bad enough situation to get CVE-identifier as it breaks security boundary.

Can random person email and crash claws-mail? Does this need changing of default settings? Does this affect lot of users or only couple?

Since this is now assigned I don't think we should request reject for CVE-2012-4507 as this issue in my opinion (by reading this page. not testing code) goes to sector "security issue".

What I think we should do is:
1. Change priority and severity of this case accordingly
2. Add comment to changelog with CVE in the patch

Please contact me if you need help with this issue and I can try my best :)

Comment 22 Jérôme Benoit 2012-10-10 19:38:53 UTC

It affect all claws-mail users with no special configuration tunables set. 
It happen not only when you want to view a message, it can happen before the delivery to MH(s) folder when the email content processing code do something (and in a MUA, the content processing code can be invoked very often : viewing, filtering). 

Plus, NULL pointer dereference have some exploits pattern (hard one, but not impossible one).

Comment 23 Fedora Update System 2012-10-22 22:34:32 UTC

claws-mail-3.8.1-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/claws-mail-3.8.1-3.fc18

Comment 24 Fedora Update System 2012-10-22 22:34:43 UTC

claws-mail-3.8.1-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/claws-mail-3.8.1-3.fc17

Comment 25 Fedora Update System 2012-10-22 22:34:57 UTC

claws-mail-3.8.1-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/claws-mail-3.8.1-3.fc16

Comment 26 Fedora Update System 2012-10-23 06:44:45 UTC

Package claws-mail-3.8.1-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing claws-mail-3.8.1-3.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16689/claws-mail-3.8.1-3.fc18
then log in and leave karma (feedback).