Re: UW c-client library vulnerability

[Jakub Bogusz <qboosh () PRIORIS MINI PW EDU PL>]

On Fri, Sep 01, 2000 at 07:53:22PM +0300, Juhapekka Tolvanen wrote:
> It seems, that c-client libraries by University of Washington have
> some bug(s), that makes some programs that depend upon those libraries
> go crazy. AFAIK affected programs include at least Pine (read "pain"),
> ipop3d and IMAPD. And those programs and libraries are commonly used in
> Unixes. I don't know, if any patch, fix, work-around etc. exist.
>
>  * * *
>
> Problem was caused by my X-Keywords-header, that serves as so called spook line
> (Hello, NSA! :-) ):
>
> X-Keywords: kettutytöt, Sanna Sillanpää, IKL, Jammu Siltavuori, ryssä, somali,
> lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex,
> satan, traitor, pedophile

[...]

> I've been fighting this problem all day too.  Pine blows up when you try
> to save the INBOX back out with any changes.  (I'm using fetchmail and
> plain vanilla mail spool files.)  It was driving me nuts.  Thanks for
> posting.  (I saved a copy of my mailbox and will pick through it with a
> fine-tooth comb later.)

pine crashes with "header size inconsistant" during saving mailbox if any
message contains X-Keywords line split in 2 or more lines...
Your post (maybe processed by MTA) contained 2-line X-Keywords so my
pine crashed... and I could find why. (and had finally motivation to
configure Mutt ;))

X-Keywords is processed in 2 functions:
mail_filter() (in imap/src/c-client/mail.c) filters out X-Keywords line
and seems to handle multi-line keywords correctly
unix_parse() (in imap/src/osdep/unix/unix.c) probably doesn't handle
multi-line keywords
Different results (different header sizes) causes pine crash.

The same may apply to X-UID, X-Status and Status header (I haven't test,
so I'm not sure).

imap uses the same c-client library, so the same condition may cause
imap crash.


--
Jakub Bogusz
http://prioris.mini.pw.edu.pl/~qboosh/