[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-mailutils] mailutils: mailbox/imap/folder.c:imap_writeline() can't
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
[bug-mailutils] mailutils: mailbox/imap/folder.c:imap_writeline() can't successfully write lines that contain > 254 chars |
|
Date: |
Mon, 31 Oct 2005 01:40:48 -0500 |
Package: mailutils
Version: 1:0.6.90-3
Severity: normal
Tags: patch
When trying to movemail on an mbox file which contains lines that are
longer than 254 chars, i get errors like:
movemail: NO/Bad Tagged: NO Message contains NUL characters
Cannot append message 1: Invalid argument
i only get these errors when moving the mbox into an IMAP folder, not
when moving it to another mbox. The IMAP folder i'm testing against
is on a cyrus IMAPd v2.1.18 server.
When i remove the long lines from the mbox, the message moves through
into the IMAP folder successfully.
A bit of digging turned up a bad buffer length check within
imap_writeline() in mailbox/imap/folder.c, which is simply fixed with
the supplied patch. i don't think there are any security
implications.
This bug appears to be present in CVS version 1.78 (HEAD as of this
writing) of mailbox/imap/folder.c as well as in debian unstable. If i
build mailutils with this patch, movemail can transfer from mbox to
IMAP as expected.
The relevant section of man vsnprintf pertaining to this fix is:
[for the *nprintf() functions] ... a return value of size or more
means that the output was truncated.
--- mailbox/imap/folder.c.orig 2005-10-31 00:35:31.000000000 -0500
+++ mailbox/imap/folder.c 2005-10-31 00:30:08.000000000 -0500
@@ -2044,7 +2044,7 @@
do
{
len = vsnprintf (f_imap->buffer, f_imap->buflen - 1, format, ap);
- if (len < 0 || len >= (int)f_imap->buflen
+ if (len < 0 || len >= (int)(f_imap->buflen - 1)
|| !memchr (f_imap->buffer, '\0', len + 1))
{
f_imap->buflen *= 2;
For debian, placing this patchfile in debian/patches/ seems to make
the deb build correctly for me. Another way to fix this would be to
drop the "-1" from vsnprintf's size parameter. But i don't know
enough about how f_imap_t.buffer is used elsewhere to know if that's a
safe choice.
To reproduce the bug:
---------------------
To help reproduce the bug, i've attached:
- an example mbox file that was failing for me (fake0.mbox), and
- two brief strace outputs showing the network traffic between me and
the imap server:
- once using libmu_imap.so without the patch applied
(fake0.unpatched.trace), and
- once with the patch applied (fake0.patched.trace).
i started with an identical fake0.mbox for each strace.
The traces were gathered with something like the following:
strace -etrace=send,recv -s512 movemail
file://home/dkg/src/mailutils/testing/fake0.mbox
imap://address@hidden:9999/INBOX.ffff 2>../testing/fake0.patched.trace
Thanks for developing these tools.
--dkg
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages mailutils depends on:
ii guile-1.6-libs 1.6.7-1 Main Guile libraries
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libcomerr2 1.38-2 common error description library
ii libfribidi0 0.10.5-4 Free Implementation of the Unicode
ii libgcrypt11 1.2.1-4 LGPL Crypto library - runtime libr
ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime
ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library
ii libgpg-error0 1.1-4 library for common error values an
ii libgsasl7 0.2.5-1 GNU SASL library
ii libguile-ltdl-1 1.6.7-1 Guile's patched version of libtool
ii libidn11 0.5.18-1 GNU libidn library, implementation
ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
ii libmailutils0 1:0.6.90-3 GNU Mail abstraction library
ii libmysqlclient12 4.0.24-10sarge1 mysql database client library
ii libncurses5 5.4-9 Shared libraries for terminal hand
ii libpam0g 0.79-3 Pluggable Authentication Modules l
ii libqthreads-12 1.6.7-1 QuickThreads library for Guile
ii libreadline5 5.0-11 GNU readline and history libraries
ii libtasn1-2 0.2.13-1 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3-4 compression library - runtime
mailutils recommends no packages.
-- no debconf information
>From address@hidden Tue Sep 13 17:41:04 2005
X-VM-Bookmark: 4
X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil]
["9" "Tuesday" "13" "September" "2005" "17:41:04" "-0400" "Daniel Kahn
Gillmor" "address@hidden" nil "1" "hello" "^From:" nil nil "9" nil nil (number
" " mark " Daniel Kahn Gillm Sep 13 1/9 " thread-indent
"\"hello\"\n") nil nil nil nil nil nil]
nil)
Return-Path: <address@hidden>
Delivered-To: address@hidden
Received: by whatever.example.net (Postfix, from userid 1002)
id 7CCED26EBB; Tue, 13 Sep 2005 17:41:04 -0400 (EDT)
Message-Id: <address@hidden>
From: address@hidden (Daniel Kahn Gillmor)
To: address@hidden
Subject: hello
Date: Tue, 13 Sep 2005 17:41:04 -0400 (EDT)
hi there
recv(4, "* OK ignatz Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1 server
ready\r\n", 8192, 0) = 67
send(4, "g0 CAPABILITY\r\n", 15, 0) = 15
recv(4, "* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=NTLM AUTH=DIGEST-MD5
AUTH=CRAM-MD5 ANNOTATEMORE\r\ng0 OK Completed\r\n", 8192, 0) = 255
send(4, "g1 LOGIN \"dkg\" \"XXXXXXXXXX\"\r\n", 29, 0) = 29
recv(4, "g1 OK User logged in\r\n", 8192, 0) = 22
send(4, "g2 LIST \"\" \"INBOX.ffff\"\r\n", 25, 0) = 25
recv(4, "* LIST (\\HasNoChildren) \".\" \"INBOX.ffff\"\r\ng2 OK Completed
(0.000 secs 2 calls)\r\n", 8192, 0) = 80
send(4, "g3 APPEND INBOX.ffff () {760}\r\n", 31, 0) = 31
recv(4, "+ go ahead\r\n", 8192, 0) = 12
send(4, "X-VM-Bookmark: 4\r\n", 18, 0) = 18
send(4, "X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil]\r\n", 54, 0) = 54
send(4, "\t[\"9\" \"Tuesday\" \"13\" \"September\" \"2005\" \"17:41:04\"
\"-0400\" \"Daniel Kahn Gillmor\" \"address@hidden" nil \"1\" \"hello\"
\"^From:\" nil nil \"9\" nil nil (number \" \" mark \" Daniel Kahn Gillm
Sep 13 1/9 \" thread-indent \"\\\"hello\\\"\\n\") nil nil nil nil
nil\0", 254, 0) = 254
send(4, "nil] \r\n", 7, 0) = 7
send(4, "\tnil)\r\n", 7, 0) = 7
send(4, "Return-Path: <address@hidden>\r\n", 32, 0) = 32
send(4, "Delivered-To: address@hidden", 48, 0) = 48
send(4, "Received: by whatever.example.net (Postfix, from userid 1002)\r\n",
63, 0) = 63
send(4, "\tid 7CCED26EBB; Tue, 13 Sep 2005 17:41:04 -0400 (EDT)\r\n", 55, 0) =
55
send(4, "Message-Id: <address@hidden>\r\n", 62, 0) = 62
send(4, "From: address@hidden (Daniel Kahn Gillmor)\r\n", 45, 0) = 45
send(4, "To: address@hidden", 42, 0) = 42
send(4, "Subject: hello\r\n", 16, 0) = 16
send(4, "Date: Tue, 13 Sep 2005 17:41:04 -0400 (EDT)\r\n", 45, 0) = 45
send(4, "\r\n", 2, 0) = 2
send(4, "hi there\r\n", 10, 0) = 10
send(4, "\n", 1, 0) = 1
recv(4, "g3 NO Message contains NUL characters\r\n", 8192, 0) = 39
movemail: NO/Bad Tagged: NO Message contains NUL characters
Cannot append message 1: Invalid argumentsend(4, "g4 LOGOUT\r\n", 11, 0)
= 11
recv(4, "* BYE LOGOUT received\r\ng4 OK Completed\r\n", 8192, 0) = 40
recv(4, "* OK ignatz Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1 server
ready\r\n", 8192, 0) = 67
send(4, "g0 CAPABILITY\r\n", 15, 0) = 15
recv(4, "* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=NTLM AUTH=DIGEST-MD5
AUTH=CRAM-MD5 ANNOTATEMORE\r\ng0 OK Completed\r\n", 8192, 0) = 255
send(4, "g1 LOGIN \"dkg\" \"XXXXXXXXXX\"\r\n", 29, 0) = 29
recv(4, "g1 OK User logged in\r\n", 8192, 0) = 22
send(4, "g2 LIST \"\" \"INBOX.ffff\"\r\n", 25, 0) = 25
recv(4, "* LIST (\\HasNoChildren) \".\" \"INBOX.ffff\"\r\ng2 OK Completed
(0.000 secs 2 calls)\r\n", 8192, 0) = 80
send(4, "g3 APPEND INBOX.ffff () {760}\r\n", 31, 0) = 31
recv(4, "+ go ahead\r\n", 8192, 0) = 12
send(4, "X-VM-Bookmark: 4\r\n", 18, 0) = 18
send(4, "X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil]\r\n", 54, 0) = 54
send(4, "\t[\"9\" \"Tuesday\" \"13\" \"September\" \"2005\" \"17:41:04\"
\"-0400\" \"Daniel Kahn Gillmor\" \"address@hidden" nil \"1\" \"hello\"
\"^From:\" nil nil \"9\" nil nil (number \" \" mark \" Daniel Kahn Gillm
Sep 13 1/9 \" thread-indent \"\\\"hello\\\"\\n\") nil nil nil nil nil ",
254, 0) = 254
send(4, "nil] \r\n", 7, 0) = 7
send(4, "\tnil)\r\n", 7, 0) = 7
send(4, "Return-Path: <address@hidden>\r\n", 32, 0) = 32
send(4, "Delivered-To: address@hidden", 48, 0) = 48
send(4, "Received: by whatever.example.net (Postfix, from userid 1002)\r\n",
63, 0) = 63
send(4, "\tid 7CCED26EBB; Tue, 13 Sep 2005 17:41:04 -0400 (EDT)\r\n", 55, 0) =
55
send(4, "Message-Id: <address@hidden>\r\n", 62, 0) = 62
send(4, "From: address@hidden (Daniel Kahn Gillmor)\r\n", 45, 0) = 45
send(4, "To: address@hidden", 42, 0) = 42
send(4, "Subject: hello\r\n", 16, 0) = 16
send(4, "Date: Tue, 13 Sep 2005 17:41:04 -0400 (EDT)\r\n", 45, 0) = 45
send(4, "\r\n", 2, 0) = 2
send(4, "hi there\r\n", 10, 0) = 10
send(4, "\n", 1, 0) = 1
recv(4, "g3 OK [APPENDUID 1130719365 9] Completed\r\n", 8192, 0) = 42
send(4, "g4 LOGOUT\r\n", 11, 0) = 11
recv(4, "* BYE LOGOUT received\r\ng4 OK Completed\r\n", 8192, 0) = 40
- [bug-mailutils] mailutils: mailbox/imap/folder.c:imap_writeline() can't successfully write lines that contain > 254 chars,
Daniel Kahn Gillmor <=