Created attachment 704992 [details]
patch to fix bug
Header lines longer than 1023 characters cause Mail::Box::Parser::C to parse the header improperly and corrupt the message.
Yes, I realize that nothing is supposed to generate header lines that long, and yet, there are things that do, and "Be generous in what you accept" dictates that this could should do its best to parse them successfully.
The attached patch implements a dynamic buffer for reading message lines, which is reallocated as needed to make enough space for the longest line in the mailbox, and freed when the mailbox is freed.
I considered putting an upper limit on the line length to prevent memory exhaustion DoS attacks against the application running the code, but I decided not to because there is no length check on folded header lines in the existing code, which means the DoS potential is already there.
I hope you will consider including this patch in Fedora whether or not the maintainer of the CPAN package releases a new version with it (I've submitted the patch to him as https://rt.cpan.org/Ticket/Display.html?id=83749). The CPAN package hasn't been modified since 2004 so there's no way of knowing whether the maintainer will fix this issue promptly.
Actually, hold that thought. The developer is active and planning on releasing a version with a variant of my fix, and my fix has a bug in it :-), so please just consider this bug report a request to take the new version when it comes out.
3.007 was just released. Please upgrade.
perl-Mail-Box-Parser-C-3.007-1.fc17 has been submitted as an update for Fedora 17.
perl-Mail-Box-Parser-C-3.007-1.fc18 has been submitted as an update for Fedora 18.
Awesome, thanks. @dag, now it's your turn to do the same in Repoforge :-)
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-Mail-Box-Parser-C-3.007-1.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
perl-Mail-Box-Parser-C-3.007-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
perl-Mail-Box-Parser-C-3.007-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.