Re: imap mailbox killer
On Thu, Aug 31, 2000 at 10:35:40AM +0300, Juhapekka Tolvanen wrote: > There might be bug in either Pine or IMAP(D) or both. There is. The license. (See debian-legal.) -- G. Branden Robinson |A committee is a life form with six or Debian GNU/Linux|more legs and no brain. [EMAIL PROTECTED] |-- Robert Heinlein http://www.debian.org/~branden/ | pgpa5MGXJxBDM.pgp Description: PGP signature
Re: imap mailbox killer
On Thu, 31 Aug 2000, Paul Slootman wrote: > On Thu 31 Aug 2000, Paul Slootman wrote: > > > Yuck. Smells like a serious buffer overflow somewhere. > > Upon a quick glance, there indeed appears to be no checks at all > for buffer overflows. A buf of 8k is allocated into which the > From:, Status:, X-Status, and X-Keywords: headers are placed, > with simple > > sprintf (buf + strlen (buf),"... > > commands. So having extremely long X-Keywords in mail messages > will screw things up. Double yuck. > > This is in imap-4.7c/src/osdep/unix/unix.c BTW. > > See the original message and the accompanying thread in debian-devel, > archive/latest/67244 , Message-ID <[EMAIL PROTECTED]> from > Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> > Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3). This is only the tip of the iceberg however. There is a source code scanner called its4 which checks for unsafe coding practices and I ran it on imapd. The report was about a mile long :( Oddly enough I read that message and wasn't affected even though I use pine 4.21 and imapd. -- Jaldhar H. Vyas <[EMAIL PROTECTED]>
Re: imap mailbox killer
Funny side effect of the bug, here is the new "magic message" in my mailbox :-) Check out the "X-IMAP:" entry: ,- | From MAILER-DAEMON Thu Aug 31 17:15:15 2000 | Date: 31 Aug 2000 17:15:15 +0200 | From: Mail System Internal Data <[EMAIL PROTECTED]> | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA | Message-ID: <[EMAIL PROTECTED]> | X-IMAP: 0967708347 84 lesbo, homo, lesbian, anarchism, nazi, communism, CIA, bomb, nuclear, Semtex, satan, traitor, pedophile | Status: RO | | This text is part of the internal format of your mail folder, and is not | a real message. It is created automatically by the mail system software. | If deleted, important folder data will be lost, and it will be re-created | with the data reset to initial values. `- Cheers, Cristian -- I respect faith, but doubt is what gets you an education. -- Wilson Mizner
Re: imap mailbox killer
[Please Cc [EMAIL PROTECTED] on any replies to this thread.] On Thu, 31 Aug 2000, Richard A Nelson wrote: > > There might be bug in either Pine or IMAP(D) or both. > > Both... I had to manually delete several messages in Pine 4.21 folders > and I don't use IMAP > Pine also uses libc-client which is where the bug is. -- Jaldhar H. Vyas <[EMAIL PROTECTED]> >
Re: imap mailbox killer
[Please Cc [EMAIL PROTECTED] on any replies to this thread.] On Thu, 31 Aug 2000, Buddha Buck wrote: > I don't use pine or imap, but the school hosting my mailbox uses imap. > > The behavior I saw: > > Using POP to copy new mail to my workstation at work (running Eudora) > seemed to cause ipop3d to crash without properly cleaning up -- $MAIL.lock > still around, messages not marked as old, etc. Telnetting in, and mucking > around in $MAIL by hand revealed the messages preceeded by nulls. Elm read > the mailbox fine, but treated the messages preceeded by nulls as > continuations of the previous messages. Eudora, getting the messages from > POP3, also read the messages fine, but again with the broken messages > tacked on to the preceeding messages. Manually deleting the nulls wasn't a > reliable way to fix the problem. > Thanks for the description, I found it very useful. > My school uses imap, but I didn't -directly- invoke it in this process. It > may have been invoked by their mailer behind the scenes, though. > Not necessarily. However ipop3d and imapd both use the c-client library for all the mail handling routines. That's where the bug is so both would have been affected. -- Jaldhar H. Vyas <[EMAIL PROTECTED]>
Re: imap mailbox killer
At 08:21 AM 8/31/00 -0400, Richard A Nelson wrote: On Thu, 31 Aug 2000, Juhapekka Tolvanen wrote: > > There might be bug in either Pine or IMAP(D) or both. Both... I had to manually delete several messages in Pine 4.21 folders and I don't use IMAP I don't use pine or imap, but the school hosting my mailbox uses imap. The behavior I saw: Using POP to copy new mail to my workstation at work (running Eudora) seemed to cause ipop3d to crash without properly cleaning up -- $MAIL.lock still around, messages not marked as old, etc. Telnetting in, and mucking around in $MAIL by hand revealed the messages preceeded by nulls. Elm read the mailbox fine, but treated the messages preceeded by nulls as continuations of the previous messages. Eudora, getting the messages from POP3, also read the messages fine, but again with the broken messages tacked on to the preceeding messages. Manually deleting the nulls wasn't a reliable way to fix the problem. My school uses imap, but I didn't -directly- invoke it in this process. It may have been invoked by their mailer behind the scenes, though.
Re: imap mailbox killer
On Thu, Aug 31, 2000 at 07:32:17AM -0400, Buddha Buck wrote: > > commands. So having extremely long X-Keywords in mail messages > > will screw things up. Double yuck. > > > > This is in imap-4.7c/src/osdep/unix/unix.c BTW. > > > > See the original message and the accompanying thread in debian-devel, > > archive/latest/67244 , Message-ID <[EMAIL PROTECTED]> from > > Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> > > This definately needs to be passed upstream... My mailbox was screwed > up as well, and I get my mail from a Solaris box, not a Debian one. My mailbox didn't get screwed up (thank god..) but I did get some very confused messages from Mutt. I though mutt was at fault, but evidently it was imapd... Jules
Re: imap mailbox killer
> Package: imap > Version: 4.7c-1 > Severity: important > > On Thu 31 Aug 2000, Paul Slootman wrote: > > > Yuck. Smells like a serious buffer overflow somewhere. > > Upon a quick glance, there indeed appears to be no checks at all > for buffer overflows. A buf of 8k is allocated into which the > From:, Status:, X-Status, and X-Keywords: headers are placed, > with simple > > sprintf (buf + strlen (buf),"... > > commands. So having extremely long X-Keywords in mail messages > will screw things up. Double yuck. > > This is in imap-4.7c/src/osdep/unix/unix.c BTW. > > See the original message and the accompanying thread in debian-devel, > archive/latest/67244 , Message-ID <[EMAIL PROTECTED]> from > Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> This definately needs to be passed upstream... My mailbox was screwed up as well, and I get my mail from a Solaris box, not a Debian one. > > > Paul Slootman > -- > home: [EMAIL PROTECTED] http://www.wurtel.demon.nl/ > work: [EMAIL PROTECTED] http://www.murphy.nl/ > debian: [EMAIL PROTECTED] http://www.debian.org/ > isdn4linux: [EMAIL PROTECTED] http://www.isdn4linux.de/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Buddha Buck [EMAIL PROTECTED] "Just as the strength of the Internet is chaos, so the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects." -- A.L.A. v. U.S. Dept. of Justice
Re: imap mailbox killer
Package: imap Version: 4.7c-1 Severity: important On Thu 31 Aug 2000, Paul Slootman wrote: > Yuck. Smells like a serious buffer overflow somewhere. Upon a quick glance, there indeed appears to be no checks at all for buffer overflows. A buf of 8k is allocated into which the From:, Status:, X-Status, and X-Keywords: headers are placed, with simple sprintf (buf + strlen (buf),"... commands. So having extremely long X-Keywords in mail messages will screw things up. Double yuck. This is in imap-4.7c/src/osdep/unix/unix.c BTW. See the original message and the accompanying thread in debian-devel, archive/latest/67244 , Message-ID <[EMAIL PROTECTED]> from Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> Paul Slootman -- home: [EMAIL PROTECTED] http://www.wurtel.demon.nl/ work: [EMAIL PROTECTED] http://www.murphy.nl/ debian: [EMAIL PROTECTED] http://www.debian.org/ isdn4linux: [EMAIL PROTECTED] http://www.isdn4linux.de/
Re: imap mailbox killer
On Thu 31 Aug 2000, Cristian Ionescu-Idbohrn wrote: > caused the daemon (or the client) screw up the "magic". I ended up with a > "magic" message looking like this: > > ,- > | From MAILER-DAEMON Wed Aug 30 16:36:48 2000 > | Date: 30 Aug 2000 16:36:48 +0200 > | From: Mail System Internal Data <[EMAIL PROTECTED]> > | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA > | Message-ID: <[EMAIL PROTECTED]> > | X-IMAP: 0967646162 000339 > =?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?= > | Status: RO > | > | This text is part of the internal format of your mail folder, and is not > | a real message. It is created automatically by the mail system software. > | If deleted, important folder data will be lost, and it will be re-created > | with the data reset to initial values. > `- > > and a lot of NULL characters preceeding a few (5-6) of the messages in some > boxes. Yuck. Smells like a serious buffer overflow somewhere. This needs to be fixed fast. Paul Slootman -- home: [EMAIL PROTECTED] http://www.wurtel.demon.nl/ work: [EMAIL PROTECTED] http://www.murphy.nl/ debian: [EMAIL PROTECTED] http://www.debian.org/ isdn4linux: [EMAIL PROTECTED] http://www.isdn4linux.de/
Re: imap mailbox killer
Sorry I couldn't answer yout letters earlier. I had to repair my mailbox. I also had to involve and help the system administrators to go through all the IMAP mailboxes and filter out all the messages with "suspect" headers. Looks better now, thanks. I don't know much about the IMAP intrinsics, but here is the story of what happend (comming from an uninitiated user ;-). Looks like all boxes get an extra message inserted. It looks something like this: ,- | From MAILER-DAEMON Wed Aug 30 09:54:25 2000 | Delivery-Date: Thu May 11 21:51:47 2000 | Date: Thu, 11 May 2000 21:51:47 +0200 (MET DST) | From: Mail System Internal Data <[EMAIL PROTECTED]> | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA | X-IMAP: 0928135936 033614 | Status: RO | X-Status: | X-Keywords: | X-UID: 2 | | This text is part of the internal format of your mail folder, and is not | a real message. It is created automatically by the mail system software. | If deleted, important folder data will be lost, and it will be re-created | with the data reset to initial values. `- I don't know if it's the IMAP daemon or the pine client who is responsible for this. One (or several) of Juhapekka message header entries, probably this: ,- | X-Keywords: =?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?= | =?iso-8859-1?Q?vuori=2C_ryss=E4=2C_somali=2C_lesbo=2C_homo=2C_lesbian=2C?= | =?iso-8859-1?Q?_anarchism=2C_nazi=2C_communism=2C_CIA=2C_bomb=2C_nuclear?= | =?iso-8859-1?Q?=2C_Semtex=2C_satan=2C_traitor=2C_pedophile?= `- caused the daemon (or the client) screw up the "magic". I ended up with a "magic" message looking like this: ,- | From MAILER-DAEMON Wed Aug 30 16:36:48 2000 | Date: 30 Aug 2000 16:36:48 +0200 | From: Mail System Internal Data <[EMAIL PROTECTED]> | Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA | Message-ID: <[EMAIL PROTECTED]> | X-IMAP: 0967646162 000339 =?iso-8859-1?Q?kettutyt=F6t=2C_Sanna_Sillanp=E4=E4=2C_IKL=2C_Jammu_Silta?= | Status: RO | | This text is part of the internal format of your mail folder, and is not | a real message. It is created automatically by the mail system software. | If deleted, important folder data will be lost, and it will be re-created | with the data reset to initial values. `- and a lot of NULL characters preceeding a few (5-6) of the messages in some boxes. Hope this helps to find the problem. There's definitely a BUG lurking somewhere. Cheers, Cristian On Thu, 31 Aug 2000, Juhapekka Tolvanen wrote: > On Thu, 31 Aug 2000, +00:52:25 EEST (UTC +0300), > Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> pressed these keys: > > > Package: imap > > Version: 4.7c-1 > > > > (Juhapekka Tolvanen's messages may be found on these mailing lists: > > debian-devel@lists.debian.org,debian-legal@lists.debian.org) > > > > Man, you got great headers on your messages! > > > Maybe the problem is caused by my X-Keywords-header, that serves as > spook line (Hello, NSA! :-) ). I shortened it. Do you still have that > problem? > > There might be bug in either Pine or IMAP(D) or both. -- I respect faith, but doubt is what gets you an education. -- Wilson Mizner
Re: imap mailbox killer
On Thu, 31 Aug 2000, +00:52:25 EEST (UTC +0300), Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> pressed these keys: > Package: imap > Version: 4.7c-1 > > (Juhapekka Tolvanen's messages may be found on these mailing lists: > debian-devel@lists.debian.org,debian-legal@lists.debian.org) > > Man, you got great headers on your messages! Maybe the problem is caused by my X-Keywords-header, that serves as spook line (Hello, NSA! :-) ). I shortened it. Do you still have that problem? There might be bug in either Pine or IMAP(D) or both. -- Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * [EMAIL PROTECTED] http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!" - "so impressed with all you do. tried so hard to be like you. flew too high and burnt the wing. lost my faith in everything" nine inch nails
Re: imap mailbox killer
I had the same problem...I had to manually edit the messages after reading them. On Wed, 30 Aug 2000, Cristian Ionescu-Idbohrn wrote: > Package: imap > Version: 4.7c-1 > > (Juhapekka Tolvanen's messages may be found on these mailing lists: > debian-devel@lists.debian.org,debian-legal@lists.debian.org) > > Man, you got great headers on your messages! > > I don't know if it was your intension, but you managed to totally screw > up > my inbox (no hard feelings)! > > The IMAP daemon went crazy trying to make sense of that box and put it's > holy counts on the > > "Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA". > > Is this a security hole? > > Anybody else suffering from it? > > Cristian > > -- > I respect faith, but doubt is what gets you an education. -- Wilson > Mizner > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
imap mailbox killer
Package: imap Version: 4.7c-1 (Juhapekka Tolvanen's messages may be found on these mailing lists: debian-devel@lists.debian.org,debian-legal@lists.debian.org) Man, you got great headers on your messages! I don't know if it was your intension, but you managed to totally screw up my inbox (no hard feelings)! The IMAP daemon went crazy trying to make sense of that box and put it's holy counts on the "Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA". Is this a security hole? Anybody else suffering from it? Cristian -- I respect faith, but doubt is what gets you an education. -- Wilson Mizner