Red Hat Bugzilla – Bug 44025
elm buffer overflow on messages with long Message-ID header
Last modified: 2007-04-18 12:33:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i586; Nav)
Description of problem:
Messages with a very long (probably non-compliant) Message-ID header cause
a buffer overflow in elm. Part of this string overwrites the "date" field
in the message list with a longer string than normally appears there, which
causes the line to wrap and messes up the rest of this screen. I don't know
what other havoc it might cause.
I am attaching a pared-down version of one such message, with Received
fields and message body removed/replaced by placeholders.
Steps to Reproduce:
1. Save the attached file
2. Run elm -f filename
3. Look at the display.
Actual Results: Message summary displays as:
1 hnfR2-U3s.EG * June.Jamboree@pop. (21) 1st Streaming ShockWave
Expected Results: The "hnfR2-U3s.EG" should have been "Jun 08". This also
prevents the line from wrapping.
Since it's a buffer overflow, it's a security issue. A message designed to
exploit the problem might be able to do all sorts of stuff. This message
might actually be intended to exploit a buffer overflow in handling the
Message-ID string on some mail-handling program, but does not appear to do
anything malicious when read in elm.
Created attachment 20692 [details]
A spam mail I received with a long Message-ID string, with excess headers and body removed.
There is a version with fixes at http://people.redhat.com/teg/elm/ - could you
give it a try?
teg: that works.
Released a couple of days ago.