44025 – elm buffer overflow on messages with long Message-ID header

Bug 44025 - elm buffer overflow on messages with long Message-ID header

Summary: elm buffer overflow on messages with long Message-ID header

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	elm
Sub Component:
Version:	6.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Trond Eivind Glomsrxd
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-06-09 12:33 UTC by Need Real Name
Modified:	2007-04-18 16:33 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2001-06-12 22:27:15 UTC
Embargoed:

Attachments	(Terms of Use)
A spam mail I received with a long Message-ID string, with excess headers and body removed. (1.25 KB, text/plain) 2001-06-09 12:35 UTC, Need Real Name	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2001:091	0	low	SHIPPED_LIVE	: New elm packages available for Red Hat Linux 5.2, 6.2, 7 and 7.1	2001-07-03 04:00:00 UTC

Description Need Real Name 2001-06-09 12:33:22 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i586; Nav)

Description of problem:
Messages with a very long (probably non-compliant) Message-ID header cause
a buffer overflow in elm.  Part of this string overwrites the "date" field
in the message list with a longer string than normally appears there, which
causes the line to wrap and messes up the rest of this screen. I don't know
what other havoc it might cause.
I am attaching a pared-down version of one such message, with Received
fields and message body removed/replaced by placeholders.


How reproducible:
Always

Steps to Reproduce:
1. Save the attached file
2. Run elm -f filename
3. Look at the display.
	

Actual Results:  Message summary displays as:
     1   hnfR2-U3s.EG * June.Jamboree@pop. (21)   1st Streaming ShockWave
Casino
 !  


Expected Results:  The "hnfR2-U3s.EG" should have been "Jun 08". This also
prevents the line from wrapping.


Additional info:

Since it's a buffer overflow, it's a security issue. A message designed to
exploit the problem might be able to do all sorts of stuff. This message
might actually be intended to exploit a buffer overflow in handling the
Message-ID string on some mail-handling program, but does not appear to do
anything malicious when read in elm.

Comment 1 Need Real Name 2001-06-09 12:35:11 UTC

Created attachment 20692 [details]
A spam mail I received with a long Message-ID string, with excess headers and body removed.

Comment 2 Trond Eivind Glomsrxd 2001-06-11 14:37:23 UTC

Reproduced...

Comment 3 Trond Eivind Glomsrxd 2001-06-11 21:17:06 UTC

There is a version with fixes at http://people.redhat.com/teg/elm/ - could you
give it a try?

Comment 4 Need Real Name 2001-06-12 22:27:12 UTC

teg: that works.

Comment 5 Trond Eivind Glomsrxd 2001-07-17 20:18:26 UTC

Released a couple of days ago.

Note You need to log in before you can comment on or make changes to this bug.