UW c-client library vulnerability

[Juhapekka Tolvanen <juhtolv () ST JYU FI>]

It seems, that c-client libraries by University of Washington have
some bug(s), that makes some programs that depend upon those libraries
go crazy. AFAIK affected programs include at least Pine (read "pain"),
ipop3d and IMAPD. And those programs and libraries are commonly used in
Unixes. I don't know, if any patch, fix, work-around etc. exist.

 * * *

Problem was caused by my X-Keywords-header, that serves as so called spook line
(Hello, NSA! :-) ):

X-Keywords: kettutytöt, Sanna Sillanpää, IKL, Jammu Siltavuori, ryssä, somali,
lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex,
satan, traitor, pedophile

I shortened it to this:

 X-Keywords: lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb,
nuclear, Semtex, satan, traitor, pedophile

And then problems disappeared. I use a character set called ISO-LATIN-1. And my
original X-Keywords: -header had some scandinavic characters ("umlaut o"
aka "o with dots" and "umlaut a" aka "a with dots" ) in words
"kettutytöt" and "ryssä".

Here are some problem reports from mailing-lists of Debian:

 Date: Wed, 30 Aug 2000 23:52:12 +0200
 From: Cristian Ionescu-Idbohrn <cii () axis com>
 To: bugs () bugs debian org
 CC: juhtolv () st jyu fi, debian-devel () lists debian org,
        debian-legal () lists debian org
 Subject: imap mailbox killer

(Clip)

I don't know if it was your intension, but you managed to totally screw
up my inbox (no hard feelings)!

The IMAP daemon went crazy trying to make sense of that box and put it's
holy counts on the

  "Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA".

Is this a security hole?^X

 Date: Wed, 30 Aug 2000 15:31:12 -0700 (MST)
 To: Cristian Ionescu-Idbohrn <cii () axis com>
 cc: juhtolv () st jyu fi

(Clip)

I've been fighting this problem all day too.  Pine blows up when you try
to save the INBOX back out with any changes.  (I'm using fetchmail and
plain vanilla mail spool files.)  It was driving me nuts.  Thanks for
posting.  (I saved a copy of my mailbox and will pick through it with a
fine-tooth comb later.)

(Clip)

 Date: Thu, 31 Aug 2000 10:22:48 +0200 (CEST)
 From: Cristian Ionescu-Idbohrn <cii () axis com>
 To: Juhapekka Tolvanen <juhtolv () st jyu fi>
 cc: debian-devel () lists debian org

(Clip)

Looks like all boxes get an extra message inserted. It looks something
like this:

,-----
| From MAILER-DAEMON  Wed Aug 30 09:54:25 2000
| Delivery-Date: Thu May 11 21:51:47 2000
| Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST)
| From: Mail System Internal Data <MAILER-DAEMON () host com>
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| X-IMAP: 0928135936 0000033614
| Status: RO
| X-Status:
| X-Keywords:
| X-UID: 2
|
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-----

I don't know if it's the IMAP daemon or the pine client who is responsible
for this.

One (or several) of Juhapekka message header entries, probably this:

,-----
| X-Keywords:
+=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
|  =?iso-8859-1?Q?vuori=2C_ryss=E4=2C_somali=2C_lesbo=2C_homo=2C_lesbian=2C?=
|  =?iso-8859-1?Q?_anarchism=2C_nazi=2C_communism=2C_CIA=2C_bomb=2C_nuclear?=
|  =?iso-8859-1?Q?=2C_Semtex=2C_satan=2C_traitor=2C_pedophile?=
`-----

caused the daemon (or the client) screw up the "magic". I ended up with a
"magic" message looking like this:


,-----
| From MAILER-DAEMON Wed Aug 30 16:36:48 2000
| Date: 30 Aug 2000 16:36:48 +0200
| From: Mail System Internal Data <MAILER-DAEMON () host com>
| Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
| Message-ID: <967646208 () host com>
| X-IMAP: 0967646162 0000000339
+=?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?=
| Status: RO
|
| This text is part of the internal format of your mail folder, and is not
| a real message.  It is created automatically by the mail system software.
| If deleted, important folder data will be lost, and it will be re-created
| with the data reset to initial values.
`-----

and a lot of NULL characters preceeding a few (5-6) of the messages in some
boxes.

Hope this helps to find the problem.
There's definitely a BUG lurking somewhere.

(Clip)

 Date: Thu, 31 Aug 2000 12:34:14 -0400 (EDT)
 From: "Jaldhar H. Vyas" <jaldhar () debian org>
 Reply-To: "Jaldhar H. Vyas" <jaldhar () debian org>
 To: Richard A Nelson <cowboy () debian org>
 cc: Juhapekka Tolvanen <juhtolv () st jyu fi>,
        Cristian Ionescu-Idbohrn <cii () axis com>, debian-devel () lists debian org,
        70647 () bugs debian org

(Clip)

> > There might be bug in either Pine or IMAP(D) or both.
>
> Both... I had to manually delete several messages in Pine 4.21 folders
> and I don't use IMAP

Pine also uses libc-client which is where the bug is.

(Clip)

 Date: Thu, 31 Aug 2000 12:31:03 -0400 (EDT)
 From: "Jaldhar H. Vyas" <jaldhar () debian org>
 To: Buddha Buck <bmbuck () 14850 com>
 cc: Richard A Nelson <cowboy () debian org>
        Juhapekka Tolvanen <juhtolv () st jyu fi>,
        Cristian Ionescu-Idbohrn <cii () axis com>, 70647 () bugs debian org,
        debian-devel () lists debian org

(Clip)

> My school uses imap, but I didn't -directly- invoke it in this process.  It
> may have been invoked by their mailer behind the scenes, though.

Not necessarily.  However ipop3d and imapd both use the c-client library
for all the mail handling routines.  That's where the bug is so both would
have been affected.

(Clip)

--
Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * juhtolv () st jyu fi
http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!"
---------------------------------------------------------------------
"so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything" nine inch nails