Re: Bug#115625: maildrop: Severe bug which could be used to for a DoS attack in reformime
On Sun, Oct 14, 2001 at 07:12:38PM +0000, Andre Luis Lopes wrote:
> Package: maildrop
> Version: 0.75-2.1; reported 2001-10-14
> Severity: critical
> Tags: potato
>
> I was trying to set up a Debian GNU/Linux 2.2r3 "Potato" box (not this
> one from which I'm sending this bug report) with Postfix + Amavis +
> McAfee virus scanner.
> When reading Amavis documentation about reformime, which is part of
> maildrop package, I think I found a serious problem which
> maildrop-0.75-2.1 Debian package from potato is still vulnerable.
> However, this same file provided a patch to be applied against a
> reformime version older than 1.0, which is the Debian package case.
> Bellow is the file in question (README.reformime from Amavis) with the
> vulnerability explanation and the appropriated patch. Hope it helps.
>
> ==============================================================================
>
> AMaViS & reformime
> ******************
>
> IMPORTANT SECURITY WARNING:
>
> reformime 1.0 contains a severe bug. It tries do avoid
> clobbering of existing files (i.e. if a mail contains
> two attachments with the same file name!) Due to a bug
> it ends in an endless loop! This could be used for a
> denial-of-service-attack against AMaViS.
It appears that the version 0.75 doesn't have the sanity check at all. This
looks like a serious bug, it can overwrite and lose data that way...
It also makes one chunk not apply, which is normal. What should be done?
(Please CC: posts to debian-security to me, I'm not on the list)
[the rest of the original post follows]
> For details see the AMaViS Security Announcement 2000-02
> http://amavis.org/asa-2000-2.txt and read README.metamail,
> which explains why metamail or reformime is used.
>
> Please apply the patch below if you are using reformime 1.0
> (we recommand to use the latest release which is included in
> the package maildrop, see http://www.flounder.net/~mrsam/maildrop)
>
>
> Index: reformime.c
> ===================================================================
> RCS file: /cvsroot/courier/libs/rfc2045/reformime.c,v
> retrieving revision 1.25
> diff -U3 -r1.25 reformime.c
> --- reformime.c 2000/07/05 16:42:06 1.25
> +++ reformime.c 2000/07/26 00:07:14
> @@ -36,7 +36,7 @@
> #endif
>
>
> -static const char rcsid[]="$Id: README.reformime,v 1.2 2000/09/16 16:09:42 reniar Exp $";
> +static const char rcsid[]="$Id: README.reformime,v 1.2 2000/09/16 16:09:42 reniar Exp $";
>
> void rfc2045_error(const char *errmsg)
> {
> @@ -317,7 +317,8 @@
> }
> }
>
> -static char *get_suitable_filename(struct rfc2045 *r, const char *pfix)
> +static char *get_suitable_filename(struct rfc2045 *r, const char *pfix,
> + int ignore_filename)
> {
> const char *disposition_s;
> const char *disposition_name_s;
> @@ -336,7 +337,24 @@
> if (!disposition_filename_s || !*disposition_filename_s)
> disposition_filename_s=content_name_s;
>
> - if (!disposition_filename_s || !*disposition_filename_s)
> + if (ignore_filename)
> + {
> + char numbuf[NUMBUFSIZE];
> + static size_t counter=0;
> + const char *p=str_size_t(++counter, numbuf);
> +
> + dyn_disp_name=malloc(strlen(disposition_filename_s)
> + + strlen(p)+2);
> + if (!dyn_disp_name)
> + {
> + perror("malloc");
> + exit(1);
> + }
> + disposition_filename_s=strcat(strcat(strcpy(
> + dyn_disp_name, p), "-"),
> + disposition_filename_s);
> + }
> + else if (!disposition_filename_s || !*disposition_filename_s)
> {
> dyn_disp_name=tempname(".");
> disposition_filename_s=dyn_disp_name+2; /* Skip over ./ */
> @@ -421,12 +439,13 @@
> {
> char *f;
> FILE *fp;
> +int ignore=0;
>
> for (;;)
> {
> int fd;
>
> - f=get_suitable_filename(p, filename);
> + f=get_suitable_filename(p, filename, ignore);
> if (!f) return;
>
> fd=open(f, O_WRONLY|O_CREAT|O_EXCL, 0666);
> @@ -436,6 +455,7 @@
> {
> printf("%s exists.\n", f);
> free(f);
> + ignore=1;
> continue;
> }
>
> @@ -465,7 +485,7 @@
> const char *filename,
> int argc, char **argv)
> {
> -char *f=get_suitable_filename(p, "FILENAME=");
> +char *f=get_suitable_filename(p, "FILENAME=", 0);
> int pipefd[2];
> pid_t pid, p2;
> FILE *fp;
>
> ==============================================================================
>
>
> -- System Information
> Debian Release: testing/unstable
> Architecture: i386
> Kernel: Linux foobar 2.4.9 #1 SMP Dom Set 9 14:19:19 BRT 2001 i586
> Locale: LANG=pt_BR, LC_CTYPE=pt_BR
>
--
2. That which causes joy or happiness.
Reply to: