Bug 449125 - Large X-UID mail headers in dovecot break clients
Summary: Large X-UID mail headers in dovecot break clients
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: dovecot
Version: 4.6
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Michal Hlavinka
QA Contact:
URL:
Whiteboard:
: 429100 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-30 16:27 UTC by Issue Tracker
Modified: 2018-10-27 14:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-05 14:38:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Issue Tracker 2008-05-30 16:27:51 UTC 
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2008-05-30 16:27:53 UTC 
Unassigning myself from this ticket as tomorrow is my last day at RH.

Below is the patch backported to RHEL4. afaik X-UID headers aren't sent
as part of an email, they're added by the MDA. The workaround mentioned
in the initial problem description removes the X-UID and X-IMAPbase
entries from the mbox. In other words it fixes the problem after it has
already occurred. The patch below may prevent the invalid X-UID headers in
the first place, but we need to be able to reproduce the problem to confirm
this.

diff -urp dovecot-0.99.13/src/lib-index/mbox/mbox-index.c
dovecot-0.99.14/src/lib-index/mbox/mbox-index.c
--- dovecot-0.99.13/src/lib-index/mbox/mbox-index.c     2003-11-09
01:43:17.000000000 +1000
+++ dovecot-0.99.14/src/lib-index/mbox/mbox-index.c     2005-01-19
09:55:49.000000000 +1000
@@ -359,6 +359,11 @@ void mbox_header_cb(struct message_part 
                                        break;
                                ctx->uid = ctx->uid * 10 +
(hdr->value[i]-'0');
                        }
+                       if (ctx->uid >= ctx->index->header->next_uid) {
+                               /* unexpectedly large UID field.
+                                  don't allow it. */
+                               ctx->uid = 0;
+                       }
                } else if (strcasecmp(hdr->name, "X-Status") == 0) {
                        /* update message flags */
                        ctx->flags |= mbox_get_status_flags(hdr->value,


This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 146096
Comment 2 Issue Tracker 2008-05-30 16:27:54 UTC 
I am going to escalate this to BZ with the patch mentioned so that
engineering might at least contemplate including it.

Note that this will be aligned with 4.8 which likely the last RHEL4
release.  Without a concrete reproducer there is every chance this will be
rejected.


This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 146096
Comment 3 Martin Poole 2008-05-30 16:30:28 UTC 
Apparently triggered by header like

X-UID: 2632762697
Comment 4 Michal Hlavinka 2008-09-22 14:51:15 UTC 
*** Bug 429100 has been marked as a duplicate of this bug. ***
Comment 5 RHEL Program Management 2008-10-31 16:50:01 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 10 Michal Hlavinka 2010-03-05 14:38:16 UTC 
I'm sorry for not addressing the issue in RHEL-4. As dovecot
is not scheduled for update in RHEL-4.9, I'm closing that bugzilla WONTFIX. If
you are still experiencing the issue with RHEL-5, feel free to reopen it
against RHEL-5.
Note You need to log in before you can comment on or make changes to this bug.