Closed Bug 1411720 (CVE-2018-5161) Opened 7 years ago Closed 7 years ago

TBE-01-017: Multiple Hangs via malformed Headers

Categories

(MailNews Core :: MIME, defect)

defect
Not set
critical

Tracking

(thunderbird_esr5260+ fixed)

RESOLVED FIXED
Thunderbird 60.0
Tracking Status
thunderbird_esr52 60+ fixed

People

(Reporter: BenB, Assigned: mkmelin)

References

Details

(4 keywords)

Attachments

(2 files)

An issue was discovered to let an attacker craft an email which causes the victim’s Thunderbird process to hang on receiving the message. For some test cases, the hang persisted across a restart of the Thunderbird software, thus making it impossible to use the application unless the email was deleted via the mail provider’s web interface. Below is an example of an email culprit. Email which causes a hang: Content-Type: text/plain Subject: HANG! From: evil@attacker To: sad@victim CC: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ meowmeow Once the email is processed, Thunderbird freezes and consumes 100% of the CPU resources. Moreover, the amount of used memory increases. This problem is caused by an escaping algorithm which processes the header field in a manner presented next @@ => "@"@ @@@ => "\"@\"@"@ @@@@ => "\"\\\"@\\\"@\"@"@ @@@@@@ => "\"\\\"\\\\\\\"\\\\\\\\\\\\\\\"@\\\\\\\\\\\\\\\"@\\\\\\\"@\\\"@\"@"@ Adding @ characters to the header entry increases the length of the encoded string exponentially, thus resulting in high CPU and memory consumption. All header types permitted to contain email addresses, e.g. From, To, BCC, Resent-From, are affected by this issue. It is recommended to review and fix the escaping algorithm to avoid Denial of Service and foster more robust parsing. For the original report as PDF; see bug 1411701.
Sounds like bug 1293245
Keywords: hang, perf
Calling this sec-moderate if the DOS persists across restarts. If it's a startup DOS with no way to clear it short of hand-editing mailbox files we could call it sec-high.
Summary: Multiple Hangs via malformed Headers → TBE-01-017: Multiple Hangs via malformed Headers
xref bug 1293245 Magnus says this is in JSMime
See Also: → 1293245
Blocks: 1293245
See Also: 1293245
Magnus, can you suggest a fix for this issue, or at least an analysis for the cause?
Flags: needinfo?(mkmelin+mozilla)
(In reply to Daniel Veditz [:dveditz] from comment #2) > Calling this sec-moderate if the DOS persists across restarts. If it's a > startup DOS with no way to clear it short of hand-editing mailbox files we > could call it sec-high. In bug 1293245 comment 10 I provide expanded information about a crash I experienced while testing. I haven't yet been able to speak with the crashing users to confirm, but I think it is possible some users may repeatedly hang or crash on restart.
Flags: needinfo?(mkmelin+mozilla)
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #8953864 - Flags: review?(Pidgeot18)
Test case. Just open this to hang.
Attachment #8953864 - Flags: review?(jorgk)
The patch also fixes bug 1293245.
Attachment #8954903 - Attachment mime type: message/rfc822 → text/plain
Comment on attachment 8953864 [details] [diff] [review] bug1411720_malformed_header_hang.patch Looks reasonable and passes all the tests, including the new ones ;-) Thanks for taking this on and sorry about the delay in reviewing this.
Attachment #8953864 - Flags: review?(jorgk)
Attachment #8953864 - Flags: review?(Pidgeot18)
Attachment #8953864 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 60.0
Group: mail-core-security → core-security-release
Attachment #8953864 - Flags: approval-comm-esr52?
Attachment #8953864 - Flags: approval-comm-beta?
Attachment #8953864 - Flags: approval-comm-esr52?
Attachment #8953864 - Flags: approval-comm-esr52+
Attachment #8953864 - Flags: approval-comm-beta?
Attachment #8953864 - Flags: approval-comm-beta+
Comment on attachment 8953864 [details] [diff] [review] bug1411720_malformed_header_hang.patch Already landed on TB 60.
Attachment #8953864 - Flags: approval-comm-beta+
Alias: CVE-2018-5161
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: