Description of problem: A specific mail in the user mbox file cause claws-mail to crash reliabily. Version-Release number of selected component: claws-mail-3.8.1-1.fc17 Additional info: libreport version: 2.0.14 abrt_version: 2.0.13 backtrace_rating: 4 cmdline: claws-mail crash_function: strchr kernel: 3.5.4-2.fc17.x86_64 truncated backtrace: :Thread no. 1 (10 frames) : #0 strchr at ../sysdeps/x86_64/strchr.S:33 : #1 parse_parameters at procmime.c:1756 : #2 procmime_parse_content_disposition at procmime.c:1842 : #3 procmime_parse_mimepart at procmime.c:1967 : #4 procmime_parse_multipart at procmime.c:1566 : #5 procmime_parse_mimepart at procmime.c:1994 : #6 procmime_parse_message_rfc822 at procmime.c:1393 : #7 procmime_scan_file_with_offset at procmime.c:2058 : #8 procmime_scan_file_full at procmime.c:2071 : #9 procmime_scan_file at procmime.c:2078
Created attachment 620707 [details] File: core_backtrace
Created attachment 620708 [details] File: environ
Created attachment 620709 [details] File: backtrace
Created attachment 620710 [details] File: limits
Created attachment 620711 [details] File: cgroup
Created attachment 620712 [details] File: maps
Created attachment 620713 [details] File: dso_list
Created attachment 620714 [details] File: build_ids
Created attachment 620715 [details] File: var_log_messages
Created attachment 620716 [details] File: open_fds
Created attachment 620717 [details] Message that trigger the crash (extract with csplit) To reproduce: $ cat x0008 > /var/spool/mail/${HOME} Get new messages from the user mbox file.
Can reproduce. That's a security issue, btw, assuming that the message makes it into a mailbox unmodified. I here only copied it into a local folder. It's a NULL-ptr crash afaics.
Created attachment 621012 [details] the patch only adds a NULL check http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743
It's indeed a security issue. The charset variable content should pass checks that will guarantee it will not overflow during the processing, before the delivery to MH folder(s). Thks Michael for having done the bug report upstream before I find time to do so.
Does this issue have CVE-identifier?
A CVE for a simple NULL-ptr dereference?
No, I'm not familiar with the CVE declaration procedure. But this issue should indeed have a CVE-identifier.
Guide: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html Example good request to public mailing-list oss-security: http://seclists.org/oss-sec/2011/q4/3 Please email me in case you want me to request it.
CVE-id allocated : CVE-2012-4507. More information here : http://seclists.org/oss-sec/2012/q4/41 http://seclists.org/oss-sec/2012/q4/45
Thanks for volunteering! [...] Isn't it too extreme to track such a minor issue with a CVE id? There's only limited impact (and one can tell Claws Mail to not open/display a message automatically to prevent it from crashing). It's not much more dangerous compared with the user hitting an arbitrary other programming error in Claws Mail (or other applications) that crashes it suddenly. I would think differently if it were a vulnerability that could be exploited, e.g. as explained at http://cve.mitre.org/about/faqs.html#a2
A controllable null-pointer dereference is usually bad enough situation to get CVE-identifier as it breaks security boundary. Can random person email and crash claws-mail? Does this need changing of default settings? Does this affect lot of users or only couple? Since this is now assigned I don't think we should request reject for CVE-2012-4507 as this issue in my opinion (by reading this page. not testing code) goes to sector "security issue". What I think we should do is: 1. Change priority and severity of this case accordingly 2. Add comment to changelog with CVE in the patch Please contact me if you need help with this issue and I can try my best :)
It affect all claws-mail users with no special configuration tunables set. It happen not only when you want to view a message, it can happen before the delivery to MH(s) folder when the email content processing code do something (and in a MUA, the content processing code can be invoked very often : viewing, filtering). Plus, NULL pointer dereference have some exploits pattern (hard one, but not impossible one).
claws-mail-3.8.1-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/claws-mail-3.8.1-3.fc18
claws-mail-3.8.1-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/claws-mail-3.8.1-3.fc17
claws-mail-3.8.1-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/claws-mail-3.8.1-3.fc16
Package claws-mail-3.8.1-3.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing claws-mail-3.8.1-3.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16689/claws-mail-3.8.1-3.fc18 then log in and leave karma (feedback).