Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 29 Jun 2015 11:33:44 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Courier mail server: Write heap overflow in mailbot tool and out of bounds heap read in imap folder parser

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The allocation only reserves one byte
> for the zero termination, however it must be the size of the pointer (8
> bytes on 64 bit systems). Therefore it causes a write heap overflow of
> seven zero bytes.

Is this relevant:

  http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
  "An odd malloc() size will always result in an off-by-one off the
  end being harmless, due to malloc() minimum alignment being
  sizeof(void*)."

?

If there's a malloc implementation that relies on the values of these
seven bytes, then the issue can have a CVE ID.

Also, here's a general (but, in this case, probably unimportant)
comment about whether command-line arguments (for a non-setuid
program) are relevant to CVE inclusion:

> The code parses command line data, therefore it is
> unlikely that any attacker controlled input is affected.

maildrop/testsuite.in gives this example:

  LANG=en_US.utf-8 ./mailbot -T feedback -R abuse -n -N -m testmailbot.msg \
      --feedback-source-ip 127.0.0.1 \
      --feedback-incidents 2 \

However, this type of command line isn't necessarily under the control
of a local user. The purpose of mailbot is to send automatic responses
to e-mail. It seems plausible that the command line would be
dynamically constructed based on information available from an MTA,
e.g., maybe mailbot is called from a .qmail file with something like:

  mailbot -T feedback -R abuse -n -N -m testmailbot.msg \
      --feedback-original-mail-from $QUOTEDSENDER

where $QUOTEDSENDER is derived from the SENDER environment variable
supplied by qmail-local, and the value of SENDER can be set
arbitrarily by a remote SMTP client.

In the current case, it appears that this would not be especially
helpful to exploitation. It looks like the replyfeedback function
would copy the string "original-mail-from" to the heap but would not
copy the sender e-mail address to the heap. However, part of the SMTP
DATA is copied to the heap. Thus, an attacker interested in
controlling heap-memory contents would probably rely on DATA, not an
envelope address that could possibly affect a command line.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVkWSDAAoJEKllVAevmvmsAWUH/11sOu9V+jwp0nNZnaJysMHy
xKgBEvQCCUEaIGSIaSH+XNCEzg9R/liwBSwAM8cq+cjto0VmeLjK247AWIau96GK
CxRoA+ukbgTrkGZKYjnPpbAXoQfDTRnK6xMfZUK8f/N8ekDY3a0vcT5vgvX3Da3a
gA3JgUZR86S66LKFt+wzWYoGSoMlAVxmqB8+XlBwjXa6Kk+k0gQK7FfuRtSs+D2o
sqR5LKgG2ZspaZJP5g/t5M56z1guBrhALdzm8PouObUEOTsyeELVIRBTO5a/is5l
/Gydj2BPkFf6XPa7Vl9NEo0+3xpUFI2qgf63JBT6VOpymS2fVNCvQ259/DSFngw=
=AJxg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.