Re: Bug#115625: maildrop: Severe bug which could be used to for a DoS attack in reformime

To: Andre Luis Lopes <andrelop@ig.com.br>, 115625@bugs.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: Bug#115625: maildrop: Severe bug which could be used to for a DoS attack in reformime
From: Josip Rodin <jrodin@public.srce.hr>
Date: Tue, 16 Oct 2001 21:35:08 +0200
Message-id: <20011016213508.J28910@jagor.srce.hr>
In-reply-to: <20011014191238.C6B303F49C@foobar.homelab.net>; from andrelop@ig.com.br on Sun, Oct 14, 2001 at 07:12:38PM +0000
References: <20011014191238.C6B303F49C@foobar.homelab.net>

On Sun, Oct 14, 2001 at 07:12:38PM +0000, Andre Luis Lopes wrote:
> Package: maildrop
> Version: 0.75-2.1; reported 2001-10-14
> Severity: critical
> Tags: potato
> 
>    I was trying to set up a Debian GNU/Linux 2.2r3 "Potato" box (not this
>    one from which I'm sending this bug report) with Postfix + Amavis +
>    McAfee virus scanner.
>    When reading Amavis documentation about reformime, which is part of
>    maildrop package, I think I found a serious problem which
>    maildrop-0.75-2.1 Debian package from potato is still vulnerable.
>    However, this same file provided a patch to be applied against a
>    reformime version older than 1.0, which is the Debian package case.
>    Bellow is the file in question (README.reformime from Amavis) with the
>    vulnerability explanation and the appropriated patch. Hope it helps.
> 
> ==============================================================================
> 
>  AMaViS & reformime
> ******************
> 
> IMPORTANT SECURITY WARNING:
> 
> reformime 1.0 contains a severe bug. It tries do avoid
> clobbering of existing files (i.e. if a mail contains
> two attachments with the same file name!) Due to a bug 
> it ends in an endless loop! This could be used for a
> denial-of-service-attack against AMaViS.

It appears that the version 0.75 doesn't have the sanity check at all. This
looks like a serious bug, it can overwrite and lose data that way...
It also makes one chunk not apply, which is normal. What should be done?

(Please CC: posts to debian-security to me, I'm not on the list)

[the rest of the original post follows]
> For details see the AMaViS Security Announcement 2000-02
> http://amavis.org/asa-2000-2.txt and read README.metamail, 
> which explains why metamail or reformime is used.
> 
> Please apply the patch below if you are using reformime 1.0 
> (we recommand to use the latest release which is included in
> the package maildrop, see http://www.flounder.net/~mrsam/maildrop)
> 
> 
> Index: reformime.c
> ===================================================================
> RCS file: /cvsroot/courier/libs/rfc2045/reformime.c,v
> retrieving revision 1.25
> diff -U3 -r1.25 reformime.c
> --- reformime.c	2000/07/05 16:42:06	1.25
> +++ reformime.c	2000/07/26 00:07:14
> @@ -36,7 +36,7 @@
>  #endif
>  
>  
> -static const char rcsid[]="$Id: README.reformime,v 1.2 2000/09/16 16:09:42 reniar Exp $";
> +static const char rcsid[]="$Id: README.reformime,v 1.2 2000/09/16 16:09:42 reniar Exp $";
>  
>  void rfc2045_error(const char *errmsg)
>  {
> @@ -317,7 +317,8 @@
>  	}
>  }
>  
> -static char *get_suitable_filename(struct rfc2045 *r, const char *pfix)
> +static char *get_suitable_filename(struct rfc2045 *r, const char *pfix,
> +	int ignore_filename)
>  {
>  const char *disposition_s;
>  const char *disposition_name_s;
> @@ -336,7 +337,24 @@
>  	if (!disposition_filename_s || !*disposition_filename_s)
>  		disposition_filename_s=content_name_s;
>  
> -	if (!disposition_filename_s || !*disposition_filename_s)
> +	if (ignore_filename)
> +	{
> +	char	numbuf[NUMBUFSIZE];
> +	static size_t counter=0;
> +	const char *p=str_size_t(++counter, numbuf);
> +
> +		dyn_disp_name=malloc(strlen(disposition_filename_s)
> +			+ strlen(p)+2);
> +		if (!dyn_disp_name)
> +		{
> +			perror("malloc");
> +			exit(1);
> +		}
> +		disposition_filename_s=strcat(strcat(strcpy(
> +			dyn_disp_name, p), "-"),
> +			disposition_filename_s);
> +	}
> +	else if (!disposition_filename_s || !*disposition_filename_s)
>  	{
>  		dyn_disp_name=tempname(".");
>  		disposition_filename_s=dyn_disp_name+2;	/* Skip over ./ */
> @@ -421,12 +439,13 @@
>  {
>  char	*f;
>  FILE	*fp;
> +int	ignore=0;
>  
>  	for (;;)
>  	{
>  	int	fd;
>  
> -		f=get_suitable_filename(p, filename);
> +		f=get_suitable_filename(p, filename, ignore);
>  		if (!f)	return;
>  
>  		fd=open(f, O_WRONLY|O_CREAT|O_EXCL, 0666);
> @@ -436,6 +455,7 @@
>  			{
>  				printf("%s exists.\n", f);
>  				free(f);
> +				ignore=1;
>  				continue;
>  			}
>  
> @@ -465,7 +485,7 @@
>  	const char *filename,
>  	int argc, char **argv)
>  {
> -char	*f=get_suitable_filename(p, "FILENAME=");
> +char	*f=get_suitable_filename(p, "FILENAME=", 0);
>  int	pipefd[2];
>  pid_t	pid, p2;
>  FILE	*fp;
> 
> ==============================================================================
> 
> 
> -- System Information
> Debian Release: testing/unstable
> Architecture: i386
> Kernel: Linux foobar 2.4.9 #1 SMP Dom Set 9 14:19:19 BRT 2001 i586
> Locale: LANG=pt_BR, LC_CTYPE=pt_BR
> 

-- 
     2. That which causes joy or happiness.

Reply to:

Follow-Ups:
- Re: Bug#115625: maildrop: Severe bug which could be used to for a DoS attack in reformime
  - From: Andre Luis Lopes <andrelop@ig.com.br>

Prev by Date: Re: Problem with SCP
Next by Date: Re: Bug#115625: maildrop: Severe bug which could be used to for a DoS attack in reformime
Previous by thread: Re: Problem with SCP
Next by thread: Re: Bug#115625: maildrop: Severe bug which could be used to for a DoS attack in reformime
Index(es):
- Date
- Thread