Bug 917669 - Please update to Mail::Box::Parser::C 3.007 to fix bug: parses messages with long header lines (>1023 characters) improperly
Summary: Please update to Mail::Box::Parser::C 3.007 to fix bug: parses messages with ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-Mail-Box-Parser-C
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tom "spot" Callaway
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-04 13:57 UTC by Jonathan Kamens
Modified: 2013-03-20 21:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-16 01:41:26 UTC
Type: Bug


Attachments (Terms of Use)
patch to fix bug (1.58 KB, patch)
2013-03-04 13:57 UTC, Jonathan Kamens
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
CPAN 83749 0 None None None Never

Description Jonathan Kamens 2013-03-04 13:57:21 UTC
Created attachment 704992 [details]
patch to fix bug

Header lines longer than 1023 characters cause Mail::Box::Parser::C to parse the header improperly and corrupt the message.

Yes, I realize that nothing is supposed to generate header lines that long, and yet, there are things that do, and "Be generous in what you accept" dictates that this could should do its best to parse them successfully.

The attached patch implements a dynamic buffer for reading message lines, which is reallocated as needed to make enough space for the longest line in the mailbox, and freed when the mailbox is freed.

I considered putting an upper limit on the line length to prevent memory exhaustion DoS attacks against the application running the code, but I decided not to because there is no length check on folded header lines in the existing code, which means the DoS potential is already there.

I hope you will consider including this patch in Fedora whether or not the maintainer of the CPAN package releases a new version with it (I've submitted the patch to him as https://rt.cpan.org/Ticket/Display.html?id=83749). The CPAN package hasn't been modified since 2004 so there's no way of knowing whether the maintainer will fix this issue promptly.

Comment 1 Jonathan Kamens 2013-03-04 15:57:06 UTC
Actually, hold that thought. The developer is active and planning on releasing a version with a variant of my fix, and my fix has a bug in it :-), so please just consider this bug report a request to take the new version when it comes out.

Comment 2 Jonathan Kamens 2013-03-04 21:58:02 UTC
3.007 was just released. Please upgrade.

Comment 3 Fedora Update System 2013-03-05 16:17:39 UTC
perl-Mail-Box-Parser-C-3.007-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-Mail-Box-Parser-C-3.007-1.fc17

Comment 4 Fedora Update System 2013-03-05 16:17:54 UTC
perl-Mail-Box-Parser-C-3.007-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/perl-Mail-Box-Parser-C-3.007-1.fc18

Comment 5 Jonathan Kamens 2013-03-05 16:24:07 UTC
Awesome, thanks. @dag, now it's your turn to do the same in Repoforge :-)

Comment 6 Fedora Update System 2013-03-05 23:26:15 UTC
Package perl-Mail-Box-Parser-C-3.007-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-Mail-Box-Parser-C-3.007-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3455/perl-Mail-Box-Parser-C-3.007-1.fc18
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2013-03-16 01:41:27 UTC
perl-Mail-Box-Parser-C-3.007-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-03-20 21:48:26 UTC
perl-Mail-Box-Parser-C-3.007-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.