Bug 862578 (CVE-2012-4507) - CVE-2012-4507 [abrt] claws-mail-3.8.1-1.fc17: strchr: Process /usr/bin/claws-mail was killed by signal 11 (SIGSEGV)
Summary: CVE-2012-4507 [abrt] claws-mail-3.8.1-1.fc17: strchr: Process /usr/bin/claws-...
Alias: CVE-2012-4507
Product: Fedora
Classification: Fedora
Component: claws-mail
Version: 17
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Andreas Bierfert
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:ede36842e171c1ad3b175c873da...
Depends On:
TreeView+ depends on / blocked
Reported: 2012-10-03 09:37 UTC by Jérôme Benoit
Modified: 2012-11-20 13:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-11-20 13:56:50 UTC
Type: ---

Attachments (Terms of Use)
File: core_backtrace (3.09 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: environ (3.02 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: backtrace (40.40 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: limits (1.29 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: cgroup (130 bytes, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: maps (74.07 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: dso_list (15.96 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: build_ids (6.13 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: var_log_messages (4.31 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
File: open_fds (1.10 KB, text/plain)
2012-10-03 09:38 UTC, Jérôme Benoit
no flags Details
Message that trigger the crash (extract with csplit) (28.95 KB, application/octet-stream)
2012-10-03 09:46 UTC, Jérôme Benoit
no flags Details
the patch only adds a NULL check (428 bytes, patch)
2012-10-03 16:20 UTC, Michael Schwendt
no flags Details | Diff

Description Jérôme Benoit 2012-10-03 09:37:57 UTC
Description of problem:
A specific mail in the user mbox file cause claws-mail to crash reliabily. 

Version-Release number of selected component:

Additional info:
libreport version: 2.0.14
abrt_version:   2.0.13
backtrace_rating: 4
cmdline:        claws-mail
crash_function: strchr
kernel:         3.5.4-2.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #0 strchr at ../sysdeps/x86_64/strchr.S:33
: #1 parse_parameters at procmime.c:1756
: #2 procmime_parse_content_disposition at procmime.c:1842
: #3 procmime_parse_mimepart at procmime.c:1967
: #4 procmime_parse_multipart at procmime.c:1566
: #5 procmime_parse_mimepart at procmime.c:1994
: #6 procmime_parse_message_rfc822 at procmime.c:1393
: #7 procmime_scan_file_with_offset at procmime.c:2058
: #8 procmime_scan_file_full at procmime.c:2071
: #9 procmime_scan_file at procmime.c:2078

Comment 1 Jérôme Benoit 2012-10-03 09:38:00 UTC
Created attachment 620707 [details]
File: core_backtrace

Comment 2 Jérôme Benoit 2012-10-03 09:38:02 UTC
Created attachment 620708 [details]
File: environ

Comment 3 Jérôme Benoit 2012-10-03 09:38:05 UTC
Created attachment 620709 [details]
File: backtrace

Comment 4 Jérôme Benoit 2012-10-03 09:38:07 UTC
Created attachment 620710 [details]
File: limits

Comment 5 Jérôme Benoit 2012-10-03 09:38:09 UTC
Created attachment 620711 [details]
File: cgroup

Comment 6 Jérôme Benoit 2012-10-03 09:38:13 UTC
Created attachment 620712 [details]
File: maps

Comment 7 Jérôme Benoit 2012-10-03 09:38:15 UTC
Created attachment 620713 [details]
File: dso_list

Comment 8 Jérôme Benoit 2012-10-03 09:38:17 UTC
Created attachment 620714 [details]
File: build_ids

Comment 9 Jérôme Benoit 2012-10-03 09:38:19 UTC
Created attachment 620715 [details]
File: var_log_messages

Comment 10 Jérôme Benoit 2012-10-03 09:38:21 UTC
Created attachment 620716 [details]
File: open_fds

Comment 11 Jérôme Benoit 2012-10-03 09:46:17 UTC
Created attachment 620717 [details]
Message that trigger the crash (extract with csplit)

To reproduce: 

$ cat x0008 > /var/spool/mail/${HOME}

Get new messages from the user mbox file.

Comment 12 Michael Schwendt 2012-10-03 16:18:59 UTC
Can reproduce. That's a security issue, btw, assuming that the message makes it into a mailbox unmodified. I here only copied it into a local folder.

It's a NULL-ptr crash afaics.

Comment 13 Michael Schwendt 2012-10-03 16:20:14 UTC
Created attachment 621012 [details]
the patch only adds a NULL check


Comment 14 Jérôme Benoit 2012-10-03 19:52:08 UTC
It's indeed a security issue. The charset variable content should pass checks that will guarantee it will not overflow during the processing, before the delivery to MH folder(s). 

Thks Michael for having done the bug report upstream before I find time to do so.

Comment 15 Henri Salo 2012-10-09 11:48:59 UTC
Does this issue have CVE-identifier?

Comment 16 Michael Schwendt 2012-10-09 17:49:24 UTC
A CVE for a simple NULL-ptr dereference?

Comment 17 Jérôme Benoit 2012-10-09 17:50:59 UTC
No, I'm not familiar with the CVE declaration procedure. But this issue should indeed have a CVE-identifier.

Comment 18 Henri Salo 2012-10-09 17:56:51 UTC
Guide: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
Example good request to public mailing-list oss-security: http://seclists.org/oss-sec/2011/q4/3

Please email me in case you want me to request it.

Comment 19 Jérôme Benoit 2012-10-10 10:31:10 UTC
CVE-id allocated : CVE-2012-4507. 

More information here :


Comment 20 Michael Schwendt 2012-10-10 16:06:02 UTC
Thanks for volunteering!


Isn't it too extreme to track such a minor issue with a CVE id? There's only limited impact (and one can tell Claws Mail to not open/display a message automatically to prevent it from crashing). It's not much more dangerous compared with the user hitting an arbitrary other programming error in Claws Mail (or other applications) that crashes it suddenly. I would think differently if it were a vulnerability that could be exploited, e.g. as explained at http://cve.mitre.org/about/faqs.html#a2

Comment 21 Henri Salo 2012-10-10 17:31:32 UTC
A controllable null-pointer dereference is usually bad enough situation to get CVE-identifier as it breaks security boundary.

Can random person email and crash claws-mail? Does this need changing of default settings? Does this affect lot of users or only couple?

Since this is now assigned I don't think we should request reject for CVE-2012-4507 as this issue in my opinion (by reading this page. not testing code) goes to sector "security issue".

What I think we should do is:
1. Change priority and severity of this case accordingly
2. Add comment to changelog with CVE in the patch

Please contact me if you need help with this issue and I can try my best :)

Comment 22 Jérôme Benoit 2012-10-10 19:38:53 UTC
It affect all claws-mail users with no special configuration tunables set. 
It happen not only when you want to view a message, it can happen before the delivery to MH(s) folder when the email content processing code do something (and in a MUA, the content processing code can be invoked very often : viewing, filtering). 

Plus, NULL pointer dereference have some exploits pattern (hard one, but not impossible one).

Comment 23 Fedora Update System 2012-10-22 22:34:32 UTC
claws-mail-3.8.1-3.fc18 has been submitted as an update for Fedora 18.

Comment 24 Fedora Update System 2012-10-22 22:34:43 UTC
claws-mail-3.8.1-3.fc17 has been submitted as an update for Fedora 17.

Comment 25 Fedora Update System 2012-10-22 22:34:57 UTC
claws-mail-3.8.1-3.fc16 has been submitted as an update for Fedora 16.

Comment 26 Fedora Update System 2012-10-23 06:44:45 UTC
Package claws-mail-3.8.1-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing claws-mail-3.8.1-3.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Note You need to log in before you can comment on or make changes to this bug.