Bug 862578 - (CVE-2012-4507) CVE-2012-4507 [abrt] claws-mail-3.8.1-1.fc17: strchr: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
CVE-2012-4507 [abrt] claws-mail-3.8.1-1.fc17: strchr: Process /usr/bin/claws-...
Product: Fedora
Classification: Fedora
Component: claws-mail (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Andreas Bierfert
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-10-03 05:37 EDT by Jérôme Benoit
Modified: 2012-11-20 08:56 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-11-20 08:56:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File: core_backtrace (3.09 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: environ (3.02 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: backtrace (40.40 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: limits (1.29 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: cgroup (130 bytes, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: maps (74.07 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: dso_list (15.96 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: build_ids (6.13 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: var_log_messages (4.31 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
File: open_fds (1.10 KB, text/plain)
2012-10-03 05:38 EDT, Jérôme Benoit
no flags Details
Message that trigger the crash (extract with csplit) (28.95 KB, application/octet-stream)
2012-10-03 05:46 EDT, Jérôme Benoit
no flags Details
the patch only adds a NULL check (428 bytes, patch)
2012-10-03 12:20 EDT, Michael Schwendt
no flags Details | Diff

  None (edit)
Description Jérôme Benoit 2012-10-03 05:37:57 EDT
Description of problem:
A specific mail in the user mbox file cause claws-mail to crash reliabily. 

Version-Release number of selected component:

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        claws-mail
crash_function: strchr
kernel:         3.5.4-2.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 strchr at ../sysdeps/x86_64/strchr.S:33
: #1 parse_parameters at procmime.c:1756
: #2 procmime_parse_content_disposition at procmime.c:1842
: #3 procmime_parse_mimepart at procmime.c:1967
: #4 procmime_parse_multipart at procmime.c:1566
: #5 procmime_parse_mimepart at procmime.c:1994
: #6 procmime_parse_message_rfc822 at procmime.c:1393
: #7 procmime_scan_file_with_offset at procmime.c:2058
: #8 procmime_scan_file_full at procmime.c:2071
: #9 procmime_scan_file at procmime.c:2078
Comment 1 Jérôme Benoit 2012-10-03 05:38:00 EDT
Created attachment 620707 [details]
File: core_backtrace
Comment 2 Jérôme Benoit 2012-10-03 05:38:02 EDT
Created attachment 620708 [details]
File: environ
Comment 3 Jérôme Benoit 2012-10-03 05:38:05 EDT
Created attachment 620709 [details]
File: backtrace
Comment 4 Jérôme Benoit 2012-10-03 05:38:07 EDT
Created attachment 620710 [details]
File: limits
Comment 5 Jérôme Benoit 2012-10-03 05:38:09 EDT
Created attachment 620711 [details]
File: cgroup
Comment 6 Jérôme Benoit 2012-10-03 05:38:13 EDT
Created attachment 620712 [details]
File: maps
Comment 7 Jérôme Benoit 2012-10-03 05:38:15 EDT
Created attachment 620713 [details]
File: dso_list
Comment 8 Jérôme Benoit 2012-10-03 05:38:17 EDT
Created attachment 620714 [details]
File: build_ids
Comment 9 Jérôme Benoit 2012-10-03 05:38:19 EDT
Created attachment 620715 [details]
File: var_log_messages
Comment 10 Jérôme Benoit 2012-10-03 05:38:21 EDT
Created attachment 620716 [details]
File: open_fds
Comment 11 Jérôme Benoit 2012-10-03 05:46:17 EDT
Created attachment 620717 [details]
Message that trigger the crash (extract with csplit)

To reproduce: 

$ cat x0008 > /var/spool/mail/${HOME}

Get new messages from the user mbox file.
Comment 12 Michael Schwendt 2012-10-03 12:18:59 EDT
Can reproduce. That's a security issue, btw, assuming that the message makes it into a mailbox unmodified. I here only copied it into a local folder.

It's a NULL-ptr crash afaics.
Comment 13 Michael Schwendt 2012-10-03 12:20:14 EDT
Created attachment 621012 [details]
the patch only adds a NULL check

Comment 14 Jérôme Benoit 2012-10-03 15:52:08 EDT
It's indeed a security issue. The charset variable content should pass checks that will guarantee it will not overflow during the processing, before the delivery to MH folder(s). 

Thks Michael for having done the bug report upstream before I find time to do so.
Comment 15 Henri Salo 2012-10-09 07:48:59 EDT
Does this issue have CVE-identifier?
Comment 16 Michael Schwendt 2012-10-09 13:49:24 EDT
A CVE for a simple NULL-ptr dereference?
Comment 17 Jérôme Benoit 2012-10-09 13:50:59 EDT
No, I'm not familiar with the CVE declaration procedure. But this issue should indeed have a CVE-identifier.
Comment 18 Henri Salo 2012-10-09 13:56:51 EDT
Guide: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
Example good request to public mailing-list oss-security: http://seclists.org/oss-sec/2011/q4/3

Please email me in case you want me to request it.
Comment 19 Jérôme Benoit 2012-10-10 06:31:10 EDT
CVE-id allocated : CVE-2012-4507. 

More information here :

Comment 20 Michael Schwendt 2012-10-10 12:06:02 EDT
Thanks for volunteering!


Isn't it too extreme to track such a minor issue with a CVE id? There's only limited impact (and one can tell Claws Mail to not open/display a message automatically to prevent it from crashing). It's not much more dangerous compared with the user hitting an arbitrary other programming error in Claws Mail (or other applications) that crashes it suddenly. I would think differently if it were a vulnerability that could be exploited, e.g. as explained at http://cve.mitre.org/about/faqs.html#a2
Comment 21 Henri Salo 2012-10-10 13:31:32 EDT
A controllable null-pointer dereference is usually bad enough situation to get CVE-identifier as it breaks security boundary.

Can random person email and crash claws-mail? Does this need changing of default settings? Does this affect lot of users or only couple?

Since this is now assigned I don't think we should request reject for CVE-2012-4507 as this issue in my opinion (by reading this page. not testing code) goes to sector "security issue".

What I think we should do is:
1. Change priority and severity of this case accordingly
2. Add comment to changelog with CVE in the patch

Please contact me if you need help with this issue and I can try my best :)
Comment 22 Jérôme Benoit 2012-10-10 15:38:53 EDT
It affect all claws-mail users with no special configuration tunables set. 
It happen not only when you want to view a message, it can happen before the delivery to MH(s) folder when the email content processing code do something (and in a MUA, the content processing code can be invoked very often : viewing, filtering). 

Plus, NULL pointer dereference have some exploits pattern (hard one, but not impossible one).
Comment 23 Fedora Update System 2012-10-22 18:34:32 EDT
claws-mail-3.8.1-3.fc18 has been submitted as an update for Fedora 18.
Comment 24 Fedora Update System 2012-10-22 18:34:43 EDT
claws-mail-3.8.1-3.fc17 has been submitted as an update for Fedora 17.
Comment 25 Fedora Update System 2012-10-22 18:34:57 EDT
claws-mail-3.8.1-3.fc16 has been submitted as an update for Fedora 16.
Comment 26 Fedora Update System 2012-10-23 02:44:45 EDT
Package claws-mail-3.8.1-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing claws-mail-3.8.1-3.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Note You need to log in before you can comment on or make changes to this bug.