bug in Pine 4.21 (Unix), possible mailbox corruption

To: pine-bugs@cac.washington.edu
Cc: jaldhar@debian.org, debian-security@lists.debian.org
Subject: bug in Pine 4.21 (Unix), possible mailbox corruption
From: Leena Heino <liinu@uta.fi>
Date: Sun, 3 Sep 2000 00:10:24 +0300 (EET DST)
Message-id: <[🔎] Pine.GSO.4.21.0009022345090.26326-200000@lipstikka>

Short description:
Pine exits with Panic error message when email has a certain kind of
X-Keywords: header.

Long description:
Attached is a message to bugtraq that started this debugging. As to my
knowledge no solution has been presented to this problem. This "bug" is in
latest pine version 4.21.

Pine version: 4.21
System: Sun Solaris 2.6 with gcc c-compiler.

Presumptions:
- Mailbox does not have the hidden "Do not delete this mail" or this
hidden mail is corrupted and has to created.
- Mailbox has email with X-Keywords: header and this header is split into
two lines with second line beginning with "space" character
- Email with that special X-Keywords header is not deleted from mailbox

When above presumptions are present then pine will always exit with
this error message: Pine Panic: header size inconsistant

This bug is most likely in c-client library and therefore affects every
program that uses c-client library. This includes University of
Washington's IMAP and POP3 daemons.

Here's the relevant part from .pine-debug file:
    ---- QUIT SCREEN ----
- completely_done_with_adrbks -
expunge and close mail stream "/var/mail/mailbox"
about to end_tty_driver
Pine Panic: header size inconsistant

  -- Leena Heino (liinu@uta.fi)

It seems, that c-client libraries by University of Washington have
some bug(s), that makes some programs that depend upon those libraries
go crazy. AFAIK affected programs include at least Pine (read "pain"),
ipop3d and IMAPD. And those programs and libraries are commonly used in
Unixes. I don't know, if any patch, fix, work-around etc. exist.

 * * *

Problem was caused by my X-Keywords-header, that serves as so called spook line
(Hello, NSA! :-) ):

X-Keywords: kettutytöt, Sanna Sillanpää, IKL, Jammu Siltavuori, ryssä, somali,
lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex,
satan, traitor, pedophile

I shortened it to this:

 X-Keywords: lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb,
nuclear, Semtex, satan, traitor, pedophile

And then problems disappeared. I use a character set called ISO-LATIN-1. And my
original X-Keywords: -header had some scandinavic characters ("umlaut o"
aka "o with dots" and "umlaut a" aka "a with dots" ) in words
"kettutytöt" and "ryssä".

Here are some problem reports from mailing-lists of Debian:

 Date: Wed, 30 Aug 2000 23:52:12 +0200
 From: Cristian Ionescu-Idbohrn <cii@axis.com>
 To: bugs@bugs.debian.org
 CC: juhtolv@st.jyu.fi, debian-devel@lists.debian.org,
        debian-legal@lists.debian.org
 Subject: imap mailbox killer

(Clip)

I don't know if it was your intension, but you managed to totally screw
up my inbox (no hard feelings)!

The IMAP daemon went crazy trying to make sense of that box and put it's
holy counts on the

  "Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA".

Is this a security hole?^X

 Date: Wed, 30 Aug 2000 15:31:12 -0700 (MST)
 To: Cristian Ionescu-Idbohrn <cii@axis.com>
 cc: juhtolv@st.jyu.fi

(Clip)

I've been fighting this problem all day too.  Pine blows up when you try
to save the INBOX back out with any changes.  (I'm using fetchmail and
plain vanilla mail spool files.)  It was driving me nuts.  Thanks for
posting.  (I saved a copy of my mailbox and will pick through it with a
fine-tooth comb later.)

(Clip)

 Date: Thu, 31 Aug 2000 10:22:48 +0200 (CEST)
 From: Cristian Ionescu-Idbohrn <cii@axis.com>
 To: Juhapekka Tolvanen <juhtolv@st.jyu.fi>
 cc: debian-devel@lists.debian.org

(Clip)

Looks like all boxes get an extra message inserted. It looks something
like this:

,-----
| From MAILER-DAEMON  Wed Aug 30 09:54:25 2000
| Delivery-Date: Thu May 11 21:51:47 2000
| Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST)
| From: Mail System Internal Data <MAILER-DAEMON@host.com>
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| X-IMAP: 0928135936 0000033614
| Status: RO
| X-Status:
| X-Keywords:
| X-UID: 2
|
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-----

I don't know if it's the IMAP daemon or the pine client who is responsible
for this.

One (or several) of Juhapekka message header entries, probably this:

,-----
| X-Keywords:
+=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
|  =?iso-8859-1?Q?vuori=2C_ryss=E4=2C_somali=2C_lesbo=2C_homo=2C_lesbian=2C?=
|  =?iso-8859-1?Q?_anarchism=2C_nazi=2C_communism=2C_CIA=2C_bomb=2C_nuclear?=
|  =?iso-8859-1?Q?=2C_Semtex=2C_satan=2C_traitor=2C_pedophile?=
`-----

caused the daemon (or the client) screw up the "magic". I ended up with a
"magic" message looking like this:


,-----
| From MAILER-DAEMON Wed Aug 30 16:36:48 2000
| Date: 30 Aug 2000 16:36:48 +0200
| From: Mail System Internal Data <MAILER-DAEMON@host.com>
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| Message-ID: <967646208@host.com>
| X-IMAP: 0967646162 0000000339
+=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
| Status: RO
|
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-----

and a lot of NULL characters preceeding a few (5-6) of the messages in some
boxes.

Hope this helps to find the problem.
There's definitely a BUG lurking somewhere.

(Clip)

 Date: Thu, 31 Aug 2000 12:34:14 -0400 (EDT)
 From: "Jaldhar H. Vyas" <jaldhar@debian.org>
 Reply-To: "Jaldhar H. Vyas" <jaldhar@debian.org>
 To: Richard A Nelson <cowboy@debian.org>
 cc: Juhapekka Tolvanen <juhtolv@st.jyu.fi>,
        Cristian Ionescu-Idbohrn <cii@axis.com>, debian-devel@lists.debian.org,
        70647@bugs.debian.org

(Clip)

> > There might be bug in either Pine or IMAP(D) or both.
>
> Both... I had to manually delete several messages in Pine 4.21 folders
> and I don't use IMAP
>

Pine also uses libc-client which is where the bug is.

(Clip)

 Date: Thu, 31 Aug 2000 12:31:03 -0400 (EDT)
 From: "Jaldhar H. Vyas" <jaldhar@debian.org>
 To: Buddha Buck <bmbuck@14850.com>
 cc: Richard A Nelson <cowboy@debian.org>
        Juhapekka Tolvanen <juhtolv@st.jyu.fi>,
        Cristian Ionescu-Idbohrn <cii@axis.com>, 70647@bugs.debian.org,
        debian-devel@lists.debian.org

(Clip)

> My school uses imap, but I didn't -directly- invoke it in this process.  It
> may have been invoked by their mailer behind the scenes, though.
>

Not necessarily.  However ipop3d and imapd both use the c-client library
for all the mail handling routines.  That's where the bug is so both would
have been affected.

(Clip)

--
Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * juhtolv@st.jyu.fi
http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!"
---------------------------------------------------------------------
"so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything" nine inch nails

Reply to:

Prev by Date: Re: extra .. folder in /dev
Next by Date: Firewall with Kernel 2.4.0-test6
Previous by thread: Re: extra .. folder in /dev
Next by thread: Firewall with Kernel 2.4.0-test6
Index(es):
- Date
- Thread