Bug 961466

Summary: dovecot imap crashes when using LIST command with LIST-STATUS extension
Product: Red Hat Enterprise Linux 6 Reporter: Guido Berhoerster <guido+fedora>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: fsumsal, jherrman, jkt, ovasik, psklenar
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dovecot-2.0.9-17.el6 Doc Type: Bug Fix
Doc Text:
When the LIST-STATUS extension was used with certain hierarchy separator symbols, dovecot in some cases terminated unexpectedly. Consequently, the user was unable to list the contents of their e-mail folder. This update fixes the code for traversing folders, and using LIST-STATUS no longer causes dovecot to crash.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:57:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
backtrace
none
dovecot -n output
none
coredump none

Description Guido Berhoerster 2013-05-09 16:42:40 UTC
Created attachment 745730 [details]
backtrace

Calling the LIST command using the LIST-STATUS extension (RFC 5819) on a mailbox with sub-mailboxes crashes the dovecot imap process on an assertion failure. I can reproduce this reliably on any of my mailboxes which contain sub-mailboxes (e.g. Lists/ here) by issuing the following command:

LIST "" "Lists/%" RETURN (SUBSCRIBED CHILDREN STATUS (MESSAGES UNSEEN RECENT))

The logs show the following:

May  9 18:12:05 multivac dovecot: imap(XXX): Panic: file mailbox-list-fs.c: line 150 (fs_list_get_path): assertion failed: (mailbox_list_is_valid_pattern(_list, name))
May  9 18:12:05 multivac dovecot: imap(XXX): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0() [0x323a23ca6a] -> /usr/lib64/dovecot/libdovecot.so.0() [0x323a23cab6] -> /usr/lib64/dovecot/libdovecot.so.0() [0x323a216dba] -> /usr/lib64/dovecot/libdovecot-storage.so.0() [0x323a63bca7] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_mailbox_alloc+0x13c) [0x323a64d90c] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mdbox_mailbox_alloc+0x9a) [0x323a676bca] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_alloc+0x5d) [0x323a63061d] -> dovecot/imap(imap_status_get+0xe1) [0x4167b1] -> dovecot/imap() [0x40b5b0] -> dovecot/imap(cmd_list_full+0x426) [0x40c246] -> dovecot/imap() [0x40f8cd] -> dovecot/imap() [0x40f9ba] -> dovecot/imap(client_handle_input+0x135) [0x40fbe5] -> dovecot/imap(client_input+0x5f) [0x41050f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x48) [0x323a247e08] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x9f) [0x323a248d7f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x28) [0x323a247d98] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x323a236203] -> dovecot/imap(main+0x2f9) [0x418809] -> /lib64/libc.so.6(__libc_start_main+0xfd) [0x3d2001ecdd] -> dovecot/imap() [0x408229]
May  9 18:12:05 multivac dovecot: master: Error: service(imap): child 10060 killed with signal 6 (core dumped)

This happens with dovecot-2.0.9-5.el6.x86_64, doveconf -n output and a backtrace are attached.

Comment 1 Guido Berhoerster 2013-05-09 16:43:15 UTC
Created attachment 745731 [details]
dovecot -n output

Comment 2 Guido Berhoerster 2013-05-09 16:44:50 UTC
FYI, this can be easily reproduced by using the Trojit√° mail client which makes use of the LIST-STATUS extension by default, see https://projects.flaska.net/issues/627

Comment 3 Michal Hlavinka 2013-06-04 16:25:11 UTC
I tried to reproduce this with similar dovecot configuration, mailbox with several folders and subfolders, but it did not crash.

Could you please replace dovecot with these packages (optimization turned off for better debuginfo):
http://koji.fedoraproject.org/koji/taskinfo?taskID=5466475

Make it crash and attach bziped core file? You can place it somewhere and send me email with a link if the file is still too big.

Thanks

Comment 4 Guido Berhoerster 2013-06-04 18:40:44 UTC
Created attachment 756913 [details]
coredump

OK, here is a coredump from the provided dovecot test version.

Comment 5 Michal Hlavinka 2013-06-06 12:00:00 UTC
I'm still not able to reproduce this, but these packages should fix this issue:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5475210
Please test them and let me know the result. If it fails again, attach new core file. Thanks

Comment 6 Guido Berhoerster 2013-06-06 12:47:23 UTC
That fixes the crash, the response looks a bit weird though (the "NO [CANNOT] Invalid mailbox name" response):

a2 LIST "" "Lists/%"
* LIST (\HasChildren) "/" "Lists/"
* LIST (\HasNoChildren) "/" "Lists/Test"
a2 OK List completed.
a3 LIST "" "Lists/%" RETURN (SUBSCRIBED CHILDREN STATUS (MESSAGES UNSEEN RECENT))
* LIST (\HasChildren) "/" "Lists/"
* NO [CANNOT] Invalid mailbox name
* LIST (\HasNoChildren) "/" "Lists/Test"
* STATUS "Lists/Test" (MESSAGES 1 RECENT 1 UNSEEN 0)
a3 OK List completed.

Comment 7 Michal Hlavinka 2013-06-10 09:38:51 UTC
Thanks for testing. New test packages should have this problem fixed. Please confirm.
http://koji.fedoraproject.org/koji/taskinfo?taskID=5486468

Comment 8 Guido Berhoerster 2013-06-10 12:35:00 UTC
The response looks good to me now:

a2 LIST "" "Lists/%" RETURN (SUBSCRIBED CHILDREN STATUS (MESSAGES UNSEEN RECENT))
* LIST (\HasChildren) "/" "Lists/"
* STATUS "Lists/" (MESSAGES 1 RECENT 1 UNSEEN 0)
* LIST (\HasNoChildren) "/" "Lists/Test"
* STATUS "Lists/Test" (MESSAGES 1 RECENT 1 UNSEEN 0)
a2 OK List completed.

Comment 13 errata-xmlrpc 2015-07-22 06:57:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1348.html