[16531] in bugtraq
Re: UW c-client library vulnerability
daemon@ATHENA.MIT.EDU (Jakub Bogusz)
Mon Sep 4 00:02:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-Id: <20000902224117.A26538@satan>
Date: Sat, 2 Sep 2000 22:41:17 +0200
Reply-To: Jakub Bogusz <qboosh@PRIORIS.MINI.PW.EDU.PL>
From: Jakub Bogusz <qboosh@PRIORIS.MINI.PW.EDU.PL>
X-To: Juhapekka Tolvanen <juhtolv@ST.JYU.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000901195322.A26175@verso.st.jyu.fi>; from juhtolv@ST.JYU.FI
on Fri, Sep 01, 2000 at 07:53:22PM +0300
On Fri, Sep 01, 2000 at 07:53:22PM +0300, Juhapekka Tolvanen wrote:
> It seems, that c-client libraries by University of Washington have
> some bug(s), that makes some programs that depend upon those libraries
> go crazy. AFAIK affected programs include at least Pine (read "pain"),
> ipop3d and IMAPD. And those programs and libraries are commonly used in
> Unixes. I don't know, if any patch, fix, work-around etc. exist.
>
> * * *
>
> Problem was caused by my X-Keywords-header, that serves as so called spook line
> (Hello, NSA! :-) ):
>
> X-Keywords: kettutytvt, Sanna Sillanpdd, IKL, Jammu Siltavuori, ryssd, somali,
> lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex,
> satan, traitor, pedophile
[...]
> I've been fighting this problem all day too. Pine blows up when you try
> to save the INBOX back out with any changes. (I'm using fetchmail and
> plain vanilla mail spool files.) It was driving me nuts. Thanks for
> posting. (I saved a copy of my mailbox and will pick through it with a
> fine-tooth comb later.)
pine crashes with "header size inconsistant" during saving mailbox if any
message contains X-Keywords line split in 2 or more lines...
Your post (maybe processed by MTA) contained 2-line X-Keywords so my
pine crashed... and I could find why. (and had finally motivation to
configure Mutt ;))
X-Keywords is processed in 2 functions:
mail_filter() (in imap/src/c-client/mail.c) filters out X-Keywords line
and seems to handle multi-line keywords correctly
unix_parse() (in imap/src/osdep/unix/unix.c) probably doesn't handle
multi-line keywords
Different results (different header sizes) causes pine crash.
The same may apply to X-UID, X-Status and Status header (I haven't test,
so I'm not sure).
imap uses the same c-client library, so the same condition may cause
imap crash.
--
Jakub Bogusz
http://prioris.mini.pw.edu.pl/~qboosh/
