Bug 118669 - CAN-2004-0182 DoS: qrunner fails if no Subject field in message header
CAN-2004-0182 DoS: qrunner fails if no Subject field in message header
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: mailman (Show other bugs)
2.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-18 14:08 EST by Matthew Saltzman
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-14 09:54:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Saltzman 2004-03-18 14:08:48 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040211 Firefox/0.8

Description of problem:
When attempting to parse a message with no Subject header, qrunner
fails and logs the following error in /var/log/mailman/error.  This
failure allows a maliciously or accidentally malformed message to
initiate a DoS attack, as the queue backs up until the offending
message is removed.

Mar 18 13:02:00 2004 qrunner(16106): Traceback (innermost last):
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/cron/qrunner", line 283, in ?
Mar 18 13:02:00 2004 qrunner(16106):      kids = main(lock)
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/cron/qrunner", line 253, in main
Mar 18 13:02:00 2004 qrunner(16106):      keepqueued =
dispose_message(mlist, msg, msgdata)
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/cron/qrunner", line 157, in dispose_message
Mar 18 13:02:00 2004 qrunner(16106):      mlist.ParseMailCommands(msg)
Mar 18 13:02:00 2004 qrunner(16106):   File
"/var/mailman/Mailman/MailCommandHandler.py", line 163, in
ParseMailCommands
Mar 18 13:02:00 2004 qrunner(16106):      splitsubj =
string.split(subject)
Mar 18 13:02:00 2004 qrunner(16106): TypeError :  argument 1: expected
read-only character buffer, None found


Version-Release number of selected component (if applicable):
mailman-2.0.13-5

How reproducible:
Always

Steps to Reproduce:
1. Submit a message with no Subject header to a mailing list.
2. tail -f /var/log/mailman/error.
3. Watch the fireworks.
    

Actual Results:  qrunner fails to handle the broken message and any
that follow it.

Expected Results:  qrunner should ignore the broken header and process
the message

Additional info:

I made the following change to
/var/mailman/Mailman/MailCommandHandler.py, which at least allows
qrunner to run without failing.  It looks like the offending messages
are simply dropped, though, and not passed to their intended lists.

[mjs@www Mailman]$ diff MailCommandHandler.py MailCommandHandler.py.bak
163c163
<             splitsubj = string.split(subject)
---
>         splitsubj = string.split(subject)
Comment 1 John Dennis 2004-03-31 19:01:14 EST
this has already been fixed in the following errata RHSA-2004:019-04
Comment 2 John Dennis 2004-03-31 19:02:43 EST

*** This bug has been marked as a duplicate of 113472 ***
Comment 3 Matthew Saltzman 2004-03-31 21:41:27 EST
This probably is a dup of 113472, but I don't think that patch quite
fixes the problem.  Note that *this* bug is filed against
mailman-2.0.13-5, the errata package referred to in 113472.  So I'm
seeing the behavior with the errata patch in place.  In fact, my patch
patches that patch.

I'm reopening this because I can't reopen that one.
Comment 4 John Dennis 2004-04-01 10:43:26 EST
Thank you Matthew I did not realize this was being filed against the
errata fix, my appologies. Just a nit, but your patch confused me a
little at first because it looks like you removed one level of
indendation when one level of indendation should have been added, then
I realized the order of files given to diff was backwards, right?

I'll make the fix and issue a new errata, thank you for catching this.
Comment 5 Matthew Saltzman 2004-04-01 11:02:03 EST
Sorry about the confusion--I'm not used to submitting patches.  Yes,
the indentation on that line is increased one level.

Thanks.
Comment 6 John Dennis 2004-04-01 13:06:18 EST
errata RHSA-2004:156-02 created for mailman-2.0.13-6.

Thank you Matthew.
Comment 7 Mark J. Cox (Product Security) 2004-04-02 04:14:55 EST
Reopening as modified until such point as the errata is pushed.
Comment 8 Mark J. Cox (Product Security) 2004-04-02 04:16:17 EST
Allocating CAN-2004-0182 for this issue
Comment 9 Mark J. Cox (Product Security) 2004-04-14 09:54:32 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-156.html

Note You need to log in before you can comment on or make changes to this bug.