Bug 118669 - CAN-2004-0182 DoS: qrunner fails if no Subject field in message header
CAN-2004-0182 DoS: qrunner fails if no Subject field in message header
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: mailman (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-03-18 14:08 EST by Matthew Saltzman
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-14 09:54:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:156 normal SHIPPED_LIVE Important: mailman security update 2004-04-14 00:00:00 EDT

  None (edit)
Description Matthew Saltzman 2004-03-18 14:08:48 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040211 Firefox/0.8

Description of problem:
When attempting to parse a message with no Subject header, qrunner
fails and logs the following error in /var/log/mailman/error.  This
failure allows a maliciously or accidentally malformed message to
initiate a DoS attack, as the queue backs up until the offending
message is removed.

Mar 18 13:02:00 2004 qrunner(16106): Traceback (innermost last):
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/cron/qrunner", line 283, in ?
Mar 18 13:02:00 2004 qrunner(16106):      kids = main(lock)
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/cron/qrunner", line 253, in main
Mar 18 13:02:00 2004 qrunner(16106):      keepqueued =
dispose_message(mlist, msg, msgdata)
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/cron/qrunner", line 157, in dispose_message
Mar 18 13:02:00 2004 qrunner(16106):      mlist.ParseMailCommands(msg)
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/Mailman/MailCommandHandler.py", line 163, in
Mar 18 13:02:00 2004 qrunner(16106):      splitsubj =
Mar 18 13:02:00 2004 qrunner(16106): TypeError :  argument 1: expected
read-only character buffer, None found

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Submit a message with no Subject header to a mailing list.
2. tail -f /var/log/mailman/error.
3. Watch the fireworks.

Actual Results:  qrunner fails to handle the broken message and any
that follow it.

Expected Results:  qrunner should ignore the broken header and process
the message

Additional info:

I made the following change to
/var/mailman/Mailman/MailCommandHandler.py, which at least allows
qrunner to run without failing.  It looks like the offending messages
are simply dropped, though, and not passed to their intended lists.

[mjs@www Mailman]$ diff MailCommandHandler.py MailCommandHandler.py.bak
<             splitsubj = string.split(subject)
>         splitsubj = string.split(subject)
Comment 1 John Dennis 2004-03-31 19:01:14 EST
this has already been fixed in the following errata RHSA-2004:019-04
Comment 2 John Dennis 2004-03-31 19:02:43 EST

*** This bug has been marked as a duplicate of 113472 ***
Comment 3 Matthew Saltzman 2004-03-31 21:41:27 EST
This probably is a dup of 113472, but I don't think that patch quite
fixes the problem.  Note that *this* bug is filed against
mailman-2.0.13-5, the errata package referred to in 113472.  So I'm
seeing the behavior with the errata patch in place.  In fact, my patch
patches that patch.

I'm reopening this because I can't reopen that one.
Comment 4 John Dennis 2004-04-01 10:43:26 EST
Thank you Matthew I did not realize this was being filed against the
errata fix, my appologies. Just a nit, but your patch confused me a
little at first because it looks like you removed one level of
indendation when one level of indendation should have been added, then
I realized the order of files given to diff was backwards, right?

I'll make the fix and issue a new errata, thank you for catching this.
Comment 5 Matthew Saltzman 2004-04-01 11:02:03 EST
Sorry about the confusion--I'm not used to submitting patches.  Yes,
the indentation on that line is increased one level.

Comment 6 John Dennis 2004-04-01 13:06:18 EST
errata RHSA-2004:156-02 created for mailman-2.0.13-6.

Thank you Matthew.
Comment 7 Mark J. Cox 2004-04-02 04:14:55 EST
Reopening as modified until such point as the errata is pushed.
Comment 8 Mark J. Cox 2004-04-02 04:16:17 EST
Allocating CAN-2004-0182 for this issue
Comment 9 Mark J. Cox 2004-04-14 09:54:32 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.