Bugtraq mailing list archives
UW c-client library vulnerability
From: Juhapekka Tolvanen <juhtolv () ST JYU FI>
Date: Fri, 1 Sep 2000 19:53:22 +0300
It seems, that c-client libraries by University of Washington have some bug(s), that makes some programs that depend upon those libraries go crazy. AFAIK affected programs include at least Pine (read "pain"), ipop3d and IMAPD. And those programs and libraries are commonly used in Unixes. I don't know, if any patch, fix, work-around etc. exist. * * * Problem was caused by my X-Keywords-header, that serves as so called spook line (Hello, NSA! :-) ): X-Keywords: kettutytöt, Sanna Sillanpää, IKL, Jammu Siltavuori, ryssä, somali, lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex, satan, traitor, pedophile I shortened it to this: X-Keywords: lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex, satan, traitor, pedophile And then problems disappeared. I use a character set called ISO-LATIN-1. And my original X-Keywords: -header had some scandinavic characters ("umlaut o" aka "o with dots" and "umlaut a" aka "a with dots" ) in words "kettutytöt" and "ryssä". Here are some problem reports from mailing-lists of Debian: Date: Wed, 30 Aug 2000 23:52:12 +0200 From: Cristian Ionescu-Idbohrn <cii () axis com> To: bugs () bugs debian org CC: juhtolv () st jyu fi, debian-devel () lists debian org, debian-legal () lists debian org Subject: imap mailbox killer (Clip) I don't know if it was your intension, but you managed to totally screw up my inbox (no hard feelings)! The IMAP daemon went crazy trying to make sense of that box and put it's holy counts on the "Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA". Is this a security hole?^X Date: Wed, 30 Aug 2000 15:31:12 -0700 (MST) To: Cristian Ionescu-Idbohrn <cii () axis com> cc: juhtolv () st jyu fi (Clip) I've been fighting this problem all day too. Pine blows up when you try to save the INBOX back out with any changes. (I'm using fetchmail and plain vanilla mail spool files.) It was driving me nuts. Thanks for posting. (I saved a copy of my mailbox and will pick through it with a fine-tooth comb later.) (Clip) Date: Thu, 31 Aug 2000 10:22:48 +0200 (CEST) From: Cristian Ionescu-Idbohrn <cii () axis com> To: Juhapekka Tolvanen <juhtolv () st jyu fi> cc: debian-devel () lists debian org (Clip) Looks like all boxes get an extra message inserted. It looks something like this: ,----- | From MAILER-DAEMON Wed Aug 30 09:54:25 2000 | Delivery-Date: Thu May 11 21:51:47 2000 | Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST) | From: Mail System Internal Data <MAILER-DAEMON () host com> | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA | X-IMAP: 0928135936 0000033614 | Status: RO | X-Status: | X-Keywords: | X-UID: 2 | | This text is part of the internal format of your mail folder, and is not | a real message. It is created automatically by the mail system software. | If deleted, important folder data will be lost, and it will be re-created | with the data reset to initial values. `----- I don't know if it's the IMAP daemon or the pine client who is responsible for this. One (or several) of Juhapekka message header entries, probably this: ,----- | X-Keywords: +=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?= | =?iso-8859-1?Q?vuori=2C_ryss=E4=2C_somali=2C_lesbo=2C_homo=2C_lesbian=2C?= | =?iso-8859-1?Q?_anarchism=2C_nazi=2C_communism=2C_CIA=2C_bomb=2C_nuclear?= | =?iso-8859-1?Q?=2C_Semtex=2C_satan=2C_traitor=2C_pedophile?= `----- caused the daemon (or the client) screw up the "magic". I ended up with a "magic" message looking like this: ,----- | From MAILER-DAEMON Wed Aug 30 16:36:48 2000 | Date: 30 Aug 2000 16:36:48 +0200 | From: Mail System Internal Data <MAILER-DAEMON () host com> | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA | Message-ID: <967646208 () host com> | X-IMAP: 0967646162 0000000339 +=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?= | Status: RO | | This text is part of the internal format of your mail folder, and is not | a real message. It is created automatically by the mail system software. | If deleted, important folder data will be lost, and it will be re-created | with the data reset to initial values. `----- and a lot of NULL characters preceeding a few (5-6) of the messages in some boxes. Hope this helps to find the problem. There's definitely a BUG lurking somewhere. (Clip) Date: Thu, 31 Aug 2000 12:34:14 -0400 (EDT) From: "Jaldhar H. Vyas" <jaldhar () debian org> Reply-To: "Jaldhar H. Vyas" <jaldhar () debian org> To: Richard A Nelson <cowboy () debian org> cc: Juhapekka Tolvanen <juhtolv () st jyu fi>, Cristian Ionescu-Idbohrn <cii () axis com>, debian-devel () lists debian org, 70647 () bugs debian org (Clip)
There might be bug in either Pine or IMAP(D) or both.Both... I had to manually delete several messages in Pine 4.21 folders and I don't use IMAP
Pine also uses libc-client which is where the bug is. (Clip) Date: Thu, 31 Aug 2000 12:31:03 -0400 (EDT) From: "Jaldhar H. Vyas" <jaldhar () debian org> To: Buddha Buck <bmbuck () 14850 com> cc: Richard A Nelson <cowboy () debian org> Juhapekka Tolvanen <juhtolv () st jyu fi>, Cristian Ionescu-Idbohrn <cii () axis com>, 70647 () bugs debian org, debian-devel () lists debian org (Clip)
My school uses imap, but I didn't -directly- invoke it in this process. It may have been invoked by their mailer behind the scenes, though.
Not necessarily. However ipop3d and imapd both use the c-client library for all the mail handling routines. That's where the bug is so both would have been affected. (Clip) -- Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * juhtolv () st jyu fi http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!" --------------------------------------------------------------------- "so impressed with all you do. tried so hard to be like you. flew too high and burnt the wing. lost my faith in everything" nine inch nails
Current thread:
- UW c-client library vulnerability Juhapekka Tolvanen (Sep 01)
- Re: UW c-client library vulnerability Jakub Bogusz (Sep 03)
- <Possible follow-ups>
- Re: UW c-client library vulnerability Josh Higham (Sep 02)