'Fwd: special messages let kmail die'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Fwd: special messages let kmail die
From:       Stefan Taferner <taferner () kde ! org>
Date:       2000-05-29 7:17:38
[Download RAW message or body]

An interesting problem here.
I do not use PGP, so I cannot check it.

Btw, I have removed the strace log as it is pretty long. Please tell me if you
want to have it.

--Stefan

----------  Forwarded Message  ----------
Subject: special messages let kmail die
Date: Sun, 28 May 2000 23:15:58 +0200
From: Hartmut Prochaska <q4528174@bonsai.fernuni-hagen.de>
To: taferner@kde.org

Hi,

I got a problem with some mails. Whenever I try to open them kmail crashes
 with sigpipe. I attached the stracelog and an excerpt of this mail from the
 mailfile. I can't see any rule at the moment, but mostly it happens with
 reports from Microsoft send to the Bugtraq-list and Free-BSD Advisories.

Bye
Hartmut
--
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.

-------------------------------------------------------




["1.txt" (message/rfc822)]

From aaa@aaa Mon Jan 01 00:00:00 1997
Return-Path: <owner-bugtraq@SECURITYFOCUS.COM>
X-Flags: 1000
Delivered-To: GMX delivery to maruk64@gmx.net
Received: (qmail 14765 invoked by uid 0); 25 Apr 2000 20:55:06 -0000
Received: from lists.securityfocus.com (207.126.127.68)
  by mx18.rz2.gmx.net with SMTP; 25 Apr 2000 20:55:06 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])
	by lists.securityfocus.com (Postfix) with ESMTP
	id C746E1F61A; Tue, 25 Apr 2000 09:57:39 -0700 (PDT)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
          (LISTSERV-TCP/IP release 1.8d) with spool id 8089495 for
          BUGTRAQ@LISTS.SECURITYFOCUS.COM; Tue, 25 Apr 2000 09:57:20 -0700
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by
          lists.securityfocus.com (Postfix) with SMTP id C84EE1EEC7 for
          <bugtraq@lists.securityfocus.com>; Mon, 24 Apr 2000 22:32:35 -0700
          (PDT)
Received: (qmail 23314 invoked by alias); 25 Apr 2000 05:04:23 -0000
Delivered-To: bugtraq@securityfocus.com
Received: (qmail 3453 invoked from network); 24 Apr 2000 22:46:15 -0000
Received: from hub.freebsd.org (204.216.27.18) by mail.securityfocus.com with
          SMTP; 24 Apr 2000 22:46:15 -0000
Received: by hub.freebsd.org (Postfix, from userid 758) id EEF4B37BBB4; Mon, 24
          Apr 2000 15:46:35 -0700 (PDT)
Message-ID:  <20000424224635.EEF4B37BBB4@hub.freebsd.org>
Date:         Mon, 24 Apr 2000 15:46:35 -0700
Reply-To: security-officer@freebsd.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Comments:     RFC822 error: <W> FROM field duplicated. Last occurrence was
              retained.
From: FreeBSD Security Officer <security-officer@FREEBSD.ORG>
Subject:      FreeBSD Security Advisory: FreeBSD-SA-00:15.imap-uw
To: BUGTRAQ@SECURITYFOCUS.COM
X-UIDL: a7a89d4539e877cbf40cdd9db54828ce
Status: RO
X-Status: U

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:15                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:		imap-uw allows local users to deny service to any mailbox

Category:       ports
Module:         imap-uw
Announced:      2000-04-24
Credits:	Alex Mottram <alex@NET-CONNECT.NET> via BugTraq
Affects:        Ports collection.
Corrected:      See below.
Vendor status:	Notified.
FreeBSD only:   NO

I.   Background

imap-uw is a popular IMAP4/POP2/POP3 mail server from the University
of Washington.

II.  Problem Description

The imap-uw port supplies a "libc-client" library which provides
various functionality common to mail servers. The algorithm used for
locking of mailbox files contains a weakness which allows an
unprivileged local user to lock an arbitrary local mailbox.

In the case of POP2/POP3 servers, this means that the mailbox will not
be able to be accessed at all by the owner. In the case of IMAP4
servers, the folder can be opened for reading, but not writing
(i.e. can only be accessed read-only).

Note that this is a different vulnerability than that described in
FreeBSD Security Advisory 00:14, and affects all imap-uw servers which
provide shell-level access to users. However note that by virtue of
advisory 00:14, all users who can access their mail remotely via imap
can acquire such access even without explicit shell login access.

The imap-uw port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3200 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

A user who has, or who can obtain (see advisory 00:14) shell access to
the mail server can prevent an arbitrary mailbox from being opened via
pop2/pop3, or can force the mailbox to be only opened read-only via
imap.

If you have not chosen to install the imap-uw port/package, then your
system is not vulnerable to this problem.

IV.  Workaround

1) Deinstall the imap-uw port/package, if you you have installed it.

2) Consider using another POP2/POP3 server if you do not require IMAP
functionality. See the notes regarding alternative IMAP servers in
FreeBSD Security Advisory 00:14.

V.   Solution

No patch is currently available. It is encumbent on the imap-uw
developers to redesign the mailbox locking scheme to provide a secure
locking mechanism which is not vulnerable to local denial-of-service
attacks.

This advisory will be updated once the known vulnerabilities in
imap-uw have been addressed.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOQTN8FUuHi5z0oilAQH58gP+JtkvDh4EFR13jGKxb6PERkt9x6Cpy+DY
1P56XODBiK4tnbTjdke2JLLNUHpSYtN23h8zt1DtnlxnxunQa8Y6fhptbpgHUWAu
ZIJlLLnl0iQcjj3Lqwz2E2BaFsyZxlVSGQnD/EmI+tyZcY+oTYbomCgi1RW3kbn+
fmNJXmwTXCg=
=TwTN
-----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic