Bug 44025 - elm buffer overflow on messages with long Message-ID header
elm buffer overflow on messages with long Message-ID header
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: elm (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-09 08:33 EDT by Need Real Name
Modified: 2007-04-18 12:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-06-12 18:27:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A spam mail I received with a long Message-ID string, with excess headers and body removed. (1.25 KB, text/plain)
2001-06-09 08:35 EDT, Need Real Name
no flags Details

  None (edit)
Description Need Real Name 2001-06-09 08:33:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i586; Nav)

Description of problem:
Messages with a very long (probably non-compliant) Message-ID header cause
a buffer overflow in elm.  Part of this string overwrites the "date" field
in the message list with a longer string than normally appears there, which
causes the line to wrap and messes up the rest of this screen. I don't know
what other havoc it might cause.
I am attaching a pared-down version of one such message, with Received
fields and message body removed/replaced by placeholders.


How reproducible:
Always

Steps to Reproduce:
1. Save the attached file
2. Run elm -f filename
3. Look at the display.
	

Actual Results:  Message summary displays as:
     1   hnfR2-U3s.EG * June.Jamboree@pop. (21)   1st Streaming ShockWave
Casino
 !  


Expected Results:  The "hnfR2-U3s.EG" should have been "Jun 08". This also
prevents the line from wrapping.


Additional info:

Since it's a buffer overflow, it's a security issue. A message designed to
exploit the problem might be able to do all sorts of stuff. This message
might actually be intended to exploit a buffer overflow in handling the
Message-ID string on some mail-handling program, but does not appear to do
anything malicious when read in elm.
Comment 1 Need Real Name 2001-06-09 08:35:11 EDT
Created attachment 20692 [details]
A spam mail I received with a long Message-ID string, with excess headers and body removed.
Comment 2 Trond Eivind Glomsrxd 2001-06-11 10:37:23 EDT
Reproduced...
Comment 3 Trond Eivind Glomsrxd 2001-06-11 17:17:06 EDT
There is a version with fixes at http://people.redhat.com/teg/elm/ - could you
give it a try?
Comment 4 Need Real Name 2001-06-12 18:27:12 EDT
teg: that works.
Comment 5 Trond Eivind Glomsrxd 2001-07-17 16:18:26 EDT
Released a couple of days ago.

Note You need to log in before you can comment on or make changes to this bug.