3821 – Potential security issue with libetpan code in mailmbox plugin

Bug 3821 - Potential security issue with libetpan code in mailmbox plugin

Summary: Potential security issue with libetpan code in mailmbox plugin

Status:	RESOLVED FIXED

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Plugins/mailMBOX (show other bugs)
Version:	other
Hardware:	All All

Importance:	P3 critical
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2017-05-07 19:27 UTC by Perry E. Metzger
Modified:	2017-05-08 16:43 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Perry E. Metzger 2017-05-07 19:27:14 UTC

About a week ago, someone reported that fuzzing with AFL had found a
number of possible problems in libetpan's mime handling. See:

https://github.com/dinhviethoa/libetpan/issues/274
and
https://github.com/rwhitworth/libetpan-fuzz/

for details.

It is probably worth fixing these internally to the project if the
libetpan maintainer doesn't fix them quickly himself, since remotely
exploitable bugs are a potentially significant issue for users.

Comment 1 Andrej Kacian 2017-05-07 23:18:15 UTC

At first, I wanted to close this, since we do not use the parts of libetpan where the fuzzed segfaults happen (mailimf).

Then I noticed that our mailmbox plugin uses a very old copy of libetpan's mailimf code, which probably is a bad itea all by itself. We should probably do one of these:

1. update the src/plugins/mailmbox/mailimf* files from current libetpan (copying also any eventual fixes to the reported issues
2. get rid of the local copy of mailimf code, link the plugin against libetpan and use mailimf functions provided by it directly

Comment 2 Perry E. Metzger 2017-05-08 00:32:16 UTC

There is now a patch associated with libetpan issue 274 by the way. It might be easy enough to apply to the legacy code for now.

Comment 3 users 2017-05-08 01:14:02 UTC

Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2017-05-08 01:14:02.523175950 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=1b2aaf6c8aa1fabd8737c21c63ebfccaa39feaad
Merge: 2775715 0c02106
Author: Colin Leroy <colin@colino.net>
Date:   Mon May 8 01:14:02 2017 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=0c021062d1ba763d57f37777cfe2e2119d3264ef
Author: Andrej Kacian <ticho@claws-mail.org>
Date:   Mon May 8 01:09:53 2017 +0200

    Fix crash in mailimf_group_parse() in mailmbox plugin.
    
    Fix based on upstream fix:
    https://github.com/dinhviethoa/libetpan/commit/1fe8fb
    
    Fixes our bug #3821:
    Potential security issue with libetpan code in mailmbox plugin

Comment 4 Andrej Kacian 2017-05-08 01:15:00 UTC

Hoa has provided an even better fix, which I copied into our copy of mailimf.c. Thanks for the report!

Comment 5 Perry E. Metzger 2017-05-08 01:54:25 UTC

And thank you for the prompt fix! Does this merit a point release?

Comment 6 Andrej Kacian 2017-05-08 09:47:14 UTC

(In reply to comment #5)
> Does this merit a point release?

No, it doesn't. After further checks, we're only using two minor functions from the mailimf code, and their call graphs do not touch code affected by that fix.

Comment 7 Perry E. Metzger 2017-05-08 16:43:23 UTC

Good to hear.

On the wider issue, as you noted, it would still be good to update the plugin not to use a local copy of libetpan.

Note You need to log in before you can comment on or make changes to this bug.