Debian Bug report logs - #869736
libgmime-3.0-0: infinite loop when parsing malformed address

version graph

Package: libgmime-3.0-0; Maintainer for libgmime-3.0-0 is Daniel Kahn Gillmor <dkg@fifthhorseman.net>; Source for libgmime-3.0-0 is src:gmime (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@jwilk.net>

Date: Tue, 25 Jul 2017 22:57:05 UTC

Severity: normal

Tags: security

Found in version gmime/3.0.1-2

Fixed in version gmime/3.0.1-3

Done: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#869736; Package libgmime-3.0-0. (Tue, 25 Jul 2017 22:57:07 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libgmime-3.0-0: infinite loop when parsing malformed address
Date: Tue, 25 Jul 2017 23:36:32 +0200
[Message part 1 (text/plain, inline)]
Package: libgmime-3.0-0
Version: 3.0.1-2
Tags: security

GMime falls into infinite loop when parsing some malformed addresses.
To reproduce, rebuild the package from source and run test-parser against the 
attached mailbox:

  $ gzip -d infloop.mbox.gz
  $ tests/test-parser infloop.mbox

  Testing MIME parser...

  [... eats 100% CPU forever ...]

Backtrace:

#0  0xf7f64887 in g_mime_skip_cfws (in=0xffffd3f8) at gmime-parse-utils.c:184
#1  0xf7f64e73 in decode_subliteral (domain=0x56565690, in=0xffffd3f4) at gmime-parse-utils.c:357
#2  0xf7f64e73 in decode_domain_literal (domain=0x56565690, in=<optimized out>) at gmime-parse-utils.c:375
#3  0xf7f64e73 in g_mime_decode_domain (in=0xffffd474, domain=0x56565690) at gmime-parse-utils.c:415
#4  0xf7f7be4d in decode_route (in=0xffffd46c) at internet-address.c:1412
#5  0xf7f7be4d in mailbox_parse (address=<synthetic pointer>, name=0x56567978 "", in=0xffffd468, options=0x5655f5c0) at internet-address.c:1708
#6  0xf7f7be4d in address_parse (flags=ALLOW_ANY, address=<synthetic pointer>, charset=0xffffd460, in=0xffffd464, options=0x5655f5c0) at internet-address.c:2043
#7  0xf7f7be4d in address_list_parse (list=list@entry=0x5655f820 [InternetAddressList], options=options@entry=0x5655f5c0, in=in@entry=0xffffd4b8, is_group=0) at internet-address.c:2078
#8  0xf7f7cfda in address_list_parse (is_group=0, in=<optimized out>, options=0x5655f5c0, list=0x5655f820 [InternetAddressList]) at internet-address.c:2064
#9  0xf7f7cfda in internet_address_list_parse (options=0x5655f5c0, str=0x56567890 "<@[\t(") at internet-address.c:2129
#10 0xf7f5bd5c in message_update_addresses (message=message@entry=0x5655a358 [GMimeMessage], options=0x5655f5c0, options@entry=0xf7f5c520 <from_changed>, type=GMIME_ADDRESS_TYPE_FROM) at gmime-message.c:288
#11 0xf7f5c034 in process_header (object=object@entry=0x5655a358 [GMimeMessage], header=0x5655a358 [GMimeMessage], header@entry=0x56567a00 [GMimeHeader]) at gmime-message.c:330
#12 0xf7f5c10f in message_header_added (object=0x5655a358 [GMimeMessage], header=0x56567a00 [GMimeHeader]) at gmime-message.c:362
#13 0xf7f50ac3 in g_mime_event_emit (event=0x5655e7d8, args=0xffffd574) at gmime-events.c:221
#14 0xf7f5a5b2 in _g_mime_header_list_append (headers=0x56566c40 [GMimeHeaderList], name=0x56566b60 "From", raw_name=0x565655f0 "From", raw_value=0x56566b50 "<@[\t(", offset=6) at gmime-header.c:1196
#15 0xf7f619e0 in _g_mime_object_append_header (object=<optimized out>, header=0x56566b60 "From", raw_name=0x565655f0 "From", raw_value=0x56566b50 "<@[\t(", offset=6) at gmime-object.c:848
#16 0xf7f684da in parser_construct_message (options=0x0, parser=0x56565600 [GMimeParser]) at gmime-parser.c:1999
#17 0xf7f684da in g_mime_parser_construct_message (parser=0x56565600 [GMimeParser], options=0x0) at gmime-parser.c:2044
#18 0x56555f5d in test_parser (stream=<optimized out>) at test-parser.c:170
#19 0x56555f5d in main (argc=2, argv=0xffffd704) at test-parser.c:268

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libgmime-3.0-0 depends on:
ii  libassuan0     2.4.3-2
ii  libc6          2.24-12
ii  libglib2.0-0   2.52.3-1
ii  libgpg-error0  1.27-3
ii  libgpgme11     1.8.0-3+b3
ii  zlib1g         1:1.2.8.dfsg-5

-- 
Jakub Wilk

[infloop.mbox.gz (application/gzip, attachment)]

Reply sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility. (Thu, 27 Jul 2017 18:39:03 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@jwilk.net>:
Bug acknowledged by developer. (Thu, 27 Jul 2017 18:39:03 GMT) (full text, mbox, link).

Message #8 received at 869736-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: 869736-close@bugs.debian.org
Subject: Bug#869736: fixed in gmime 3.0.1-3
Date: Thu, 27 Jul 2017 18:34:24 +0000
Source: gmime
Source-Version: 3.0.1-3

We believe that the bug you reported is fixed in the latest version of
gmime, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 869736@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gmime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 27 Jul 2017 14:16:08 -0400
Source: gmime
Binary: libgmime-3.0-dev gir1.2-gmime-3.0 libgmime-3.0-doc libgmime-3.0-0 gmime-bin
Architecture: source
Version: 3.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 gir1.2-gmime-3.0 - MIME message parser and creator library - GObject introspection d
 gmime-bin  - MIME message parser and creator library - runtime binaries
 libgmime-3.0-0 - MIME message parser and creator library
 libgmime-3.0-dev - MIME message parser and creator library - development files
 libgmime-3.0-doc - MIME message parser and creator library - documentation
Closes: 869736
Changes:
 gmime (3.0.1-3) unstable; urgency=medium
 .
   * clean up gbp.conf
   * include bugfixes and patches from upstream (Closes: #869736)
   * no need for explicit use of autoreconf (already covered by dh 10)
Checksums-Sha1:
 d6481ede03ea1766a5292aec1a53d3adacd01226 2360 gmime_3.0.1-3.dsc
 19845d1aefc6c87f479a4dd331a61d94b803df82 18388 gmime_3.0.1-3.debian.tar.xz
 fd6f93291395d3bdacba71f4be8b57eafebfa5fe 16318 gmime_3.0.1-3_amd64.buildinfo
Checksums-Sha256:
 e0fa6794dbfa57f380ed9110bdb723da80f2f6de661d9d0b7a516fb41ac1f24c 2360 gmime_3.0.1-3.dsc
 8126c90a330d76050fad8ff039118869607d940230c70834f8a6f8a71518a3db 18388 gmime_3.0.1-3.debian.tar.xz
 bf5264b39d75c1ad5a711265721108091d4afba85bffeabb167b9794da31aa3d 16318 gmime_3.0.1-3_amd64.buildinfo
Files:
 bf6f06ae626ea86934bb72dcd45a474d 2360 libs optional gmime_3.0.1-3.dsc
 58e7031b726b8d85a45c0f199122b7ae 18388 libs optional gmime_3.0.1-3.debian.tar.xz
 a1b0458fb1b9bc22b654c32e2ed2c696 16318 libs optional gmime_3.0.1-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAll6L7oACgkQFJitxsGS
MjcWSQ//ZNYqJ1VMdj2l4WdTlpsk35wTLPNh1uu9n+jgJFdo/u7JJVdwPTexeV0D
+Ahq+zu4UrMrk04ypjCY2iNKqAZ/1Bv3GBis6TXwMMy4SCTe2tvzahCMeTgU0OQQ
GpbEgUhG+tC4ZxK2+QhlIyTw6xNf25BZrhdj8fNJQeQ2HNCo/msuB8qQ6m4vJKMx
VbIip0ErorK4ATh6/7CNTlO4jpiVCa3zEvSoX6LK6EmWMrtshOf0cmtGJnUR2QJF
idVe0ilvilYqbmK/TsPZKX0Hs5LTaDWTcp1P3v5FaMbvffuhuGxxNS1e6QL9TFOV
FhiOxljpOH11rkD4P59kJVwF2ywY1lEGxq0UjkizwdP+6xlCKnbwaobyAZJFSXQc
hEoGAsS12OIN2yq2VEi0LgOPzRkO8gZQ5pX3qTrzZoQtv4fTT/PHwImtoMGmWDL9
zX1Z+5gMO46eidex9dOsu8yK4UqibxTD9zzUvTRU7dfCVDvmXMh6wWNMbG8ab69w
qWjJSB0pBKWHOZJQ23afvmsRinjr9lMS1G+AMMKZkK6Qv8qJdxla68RgH9d/Jyqs
umnZWtfwb63q596jDj59hNBtDcVwvWvn/zzwGY3qk+DBE0n3P+BMl2CuT1M5nbbc
l9lorxUgZK9GFWJAmVJ6u5Ljsd3w+YoQb9wKZ0LyTyTn0E31H1w=
=DZV2
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 30 Aug 2017 07:26:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri May 17 07:19:00 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.