[Bug 791758] Re: CVE-2011-1929 and Dovecot 1.0.10-1ubuntu5.2 in Hardy
Steve Beattie
sbeattie at ubuntu.com
Mon Apr 23 20:52:23 UTC 2012
Hi,
Sorry for losing track of the issue.
I was getting corrupted headers where because one header had multiple
NULLs in it, when dovecot wrote the message back, it ended up dropping
that header and merging/corrupting another header. The example I came up
with was where the original message looked like so:
From test4 at test3.com Tue Nov 28 11:29:34 2007
Date^@: Tue, 28 Nov 2007 11:29:34 +0100
^@From: ( Test User 4 <test4 at test3.com>
To: Dovecot tester <dovecot at test.com>
Sub^@ject: Test 3
Statu^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@s: R
Stop cracking!
(note that the ^@ are representations of NULL characters). Causing the
message to be written back in dovecot reults i the following:
From test4 at test3.com Tue Nov 28 11:29:34 2007
Date^@: Tue, 28 Nov 2007 11:29:34 +0100
^@From: ( Test User 4 <test4 at test3.com>
To: Dovecot tester <dovecot at test.com>
Sub^@ject: Test X-IMAPbase: 1308694311 0000000001
X-UID: 1
Status: O
Stop cracking!
Note that the fake Subject line has the X-IMAPbase header merged into
it. I was not able to get more widespread corruption of the mailbox, but
didn't try very hard.
Anyway, dovecot in hardy is not affected by the original crashing issue,
and so I'm going to close this specific bug report.
Thanks, and sorry again for the delay in following up with this issue.
** Changed in: dovecot (Ubuntu)
Status: In Progress => Invalid
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dovecot in Ubuntu.
https://bugs.launchpad.net/bugs/791758
Title:
CVE-2011-1929 and Dovecot 1.0.10-1ubuntu5.2 in Hardy
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/791758/+subscriptions
More information about the Ubuntu-server-bugs
mailing list