Bug 961466 - dovecot imap crashes when using LIST command with LIST-STATUS extension
Summary: dovecot imap crashes when using LIST command with LIST-STATUS extension
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dovecot
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Michal Hlavinka
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-09 16:42 UTC by Guido Berhoerster
Modified: 2015-07-22 06:57 UTC (History)
5 users (show)

Fixed In Version: dovecot-2.0.9-17.el6
Doc Type: Bug Fix
Doc Text:
When the LIST-STATUS extension was used with certain hierarchy separator symbols, dovecot in some cases terminated unexpectedly. Consequently, the user was unable to list the contents of their e-mail folder. This update fixes the code for traversing folders, and using LIST-STATUS no longer causes dovecot to crash.
Clone Of:
Environment:
Last Closed: 2015-07-22 06:57:11 UTC


Attachments (Terms of Use)
backtrace (6.13 KB, text/plain)
2013-05-09 16:42 UTC, Guido Berhoerster
no flags Details
dovecot -n output (3.10 KB, text/plain)
2013-05-09 16:43 UTC, Guido Berhoerster
no flags Details
coredump (65.47 KB, application/x-tar)
2013-06-04 18:40 UTC, Guido Berhoerster
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1348 normal SHIPPED_LIVE dovecot bug fix and enhancement update 2015-07-20 17:59:48 UTC

Description Guido Berhoerster 2013-05-09 16:42:40 UTC
Created attachment 745730 [details]
backtrace

Calling the LIST command using the LIST-STATUS extension (RFC 5819) on a mailbox with sub-mailboxes crashes the dovecot imap process on an assertion failure. I can reproduce this reliably on any of my mailboxes which contain sub-mailboxes (e.g. Lists/ here) by issuing the following command:

LIST "" "Lists/%" RETURN (SUBSCRIBED CHILDREN STATUS (MESSAGES UNSEEN RECENT))

The logs show the following:

May  9 18:12:05 multivac dovecot: imap(XXX): Panic: file mailbox-list-fs.c: line 150 (fs_list_get_path): assertion failed: (mailbox_list_is_valid_pattern(_list, name))
May  9 18:12:05 multivac dovecot: imap(XXX): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0() [0x323a23ca6a] -> /usr/lib64/dovecot/libdovecot.so.0() [0x323a23cab6] -> /usr/lib64/dovecot/libdovecot.so.0() [0x323a216dba] -> /usr/lib64/dovecot/libdovecot-storage.so.0() [0x323a63bca7] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_mailbox_alloc+0x13c) [0x323a64d90c] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mdbox_mailbox_alloc+0x9a) [0x323a676bca] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_alloc+0x5d) [0x323a63061d] -> dovecot/imap(imap_status_get+0xe1) [0x4167b1] -> dovecot/imap() [0x40b5b0] -> dovecot/imap(cmd_list_full+0x426) [0x40c246] -> dovecot/imap() [0x40f8cd] -> dovecot/imap() [0x40f9ba] -> dovecot/imap(client_handle_input+0x135) [0x40fbe5] -> dovecot/imap(client_input+0x5f) [0x41050f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x48) [0x323a247e08] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x9f) [0x323a248d7f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x28) [0x323a247d98] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x323a236203] -> dovecot/imap(main+0x2f9) [0x418809] -> /lib64/libc.so.6(__libc_start_main+0xfd) [0x3d2001ecdd] -> dovecot/imap() [0x408229]
May  9 18:12:05 multivac dovecot: master: Error: service(imap): child 10060 killed with signal 6 (core dumped)

This happens with dovecot-2.0.9-5.el6.x86_64, doveconf -n output and a backtrace are attached.

Comment 1 Guido Berhoerster 2013-05-09 16:43:15 UTC
Created attachment 745731 [details]
dovecot -n output

Comment 2 Guido Berhoerster 2013-05-09 16:44:50 UTC
FYI, this can be easily reproduced by using the Trojitá mail client which makes use of the LIST-STATUS extension by default, see https://projects.flaska.net/issues/627

Comment 3 Michal Hlavinka 2013-06-04 16:25:11 UTC
I tried to reproduce this with similar dovecot configuration, mailbox with several folders and subfolders, but it did not crash.

Could you please replace dovecot with these packages (optimization turned off for better debuginfo):
http://koji.fedoraproject.org/koji/taskinfo?taskID=5466475

Make it crash and attach bziped core file? You can place it somewhere and send me email with a link if the file is still too big.

Thanks

Comment 4 Guido Berhoerster 2013-06-04 18:40:44 UTC
Created attachment 756913 [details]
coredump

OK, here is a coredump from the provided dovecot test version.

Comment 5 Michal Hlavinka 2013-06-06 12:00:00 UTC
I'm still not able to reproduce this, but these packages should fix this issue:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5475210
Please test them and let me know the result. If it fails again, attach new core file. Thanks

Comment 6 Guido Berhoerster 2013-06-06 12:47:23 UTC
That fixes the crash, the response looks a bit weird though (the "NO [CANNOT] Invalid mailbox name" response):

a2 LIST "" "Lists/%"
* LIST (\HasChildren) "/" "Lists/"
* LIST (\HasNoChildren) "/" "Lists/Test"
a2 OK List completed.
a3 LIST "" "Lists/%" RETURN (SUBSCRIBED CHILDREN STATUS (MESSAGES UNSEEN RECENT))
* LIST (\HasChildren) "/" "Lists/"
* NO [CANNOT] Invalid mailbox name
* LIST (\HasNoChildren) "/" "Lists/Test"
* STATUS "Lists/Test" (MESSAGES 1 RECENT 1 UNSEEN 0)
a3 OK List completed.

Comment 7 Michal Hlavinka 2013-06-10 09:38:51 UTC
Thanks for testing. New test packages should have this problem fixed. Please confirm.
http://koji.fedoraproject.org/koji/taskinfo?taskID=5486468

Comment 8 Guido Berhoerster 2013-06-10 12:35:00 UTC
The response looks good to me now:

a2 LIST "" "Lists/%" RETURN (SUBSCRIBED CHILDREN STATUS (MESSAGES UNSEEN RECENT))
* LIST (\HasChildren) "/" "Lists/"
* STATUS "Lists/" (MESSAGES 1 RECENT 1 UNSEEN 0)
* LIST (\HasNoChildren) "/" "Lists/Test"
* STATUS "Lists/Test" (MESSAGES 1 RECENT 1 UNSEEN 0)
a2 OK List completed.

Comment 13 errata-xmlrpc 2015-07-22 06:57:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1348.html


Note You need to log in before you can comment on or make changes to this bug.