Closed
Bug 1411720
(CVE-2018-5161)
Opened 7 years ago
Closed 7 years ago
TBE-01-017: Multiple Hangs via malformed Headers
Categories
(MailNews Core :: MIME, defect)
Tracking
(thunderbird_esr5260+ fixed)
RESOLVED
FIXED
Thunderbird 60.0
People
(Reporter: BenB, Assigned: mkmelin)
References
Details
(4 keywords)
Attachments
(2 files)
4.50 KB,
patch
|
jorgk-bmo
:
review+
jorgk-bmo
:
approval-comm-esr52+
|
Details | Diff | Splinter Review |
1.15 KB,
text/plain
|
Details |
An issue was discovered to let an attacker craft an email which causes the victim’s Thunderbird process to hang on receiving the message. For some test cases, the hang persisted across a restart of the Thunderbird software, thus making it impossible to use the application unless the email was deleted via the mail provider’s web interface. Below is an example of an email culprit.
Email which causes a hang:
Content-Type: text/plain
Subject: HANG!
From: evil@attacker
To: sad@victim
CC: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
meowmeow
Once the email is processed, Thunderbird freezes and consumes 100% of the CPU
resources. Moreover, the amount of used memory increases. This problem is caused by an escaping algorithm which processes the header field in a manner presented next
@@ => "@"@
@@@ => "\"@\"@"@
@@@@ => "\"\\\"@\\\"@\"@"@
@@@@@@ => "\"\\\"\\\\\\\"\\\\\\\\\\\\\\\"@\\\\\\\\\\\\\\\"@\\\\\\\"@\\\"@\"@"@
Adding @ characters to the header entry increases the length of the encoded string exponentially, thus resulting in high CPU and memory consumption. All header types permitted to contain email addresses, e.g. From, To, BCC, Resent-From, are affected by this issue. It is recommended to review and fix the escaping algorithm to avoid Denial of Service and foster more robust parsing.
For the original report as PDF; see bug 1411701.
Comment 2•7 years ago
|
||
Calling this sec-moderate if the DOS persists across restarts. If it's a startup DOS with no way to clear it short of hand-editing mailbox files we could call it sec-high.
Keywords: csectype-dos,
sec-moderate
Summary: Multiple Hangs via malformed Headers → TBE-01-017: Multiple Hangs via malformed Headers
Reporter | ||
Comment 3•7 years ago
|
||
xref bug 1293245
Magnus says this is in JSMime
Updated•7 years ago
|
Comment 5•7 years ago
|
||
Magnus, can you suggest a fix for this issue, or at least an analysis for the cause?
Flags: needinfo?(mkmelin+mozilla)
Comment 6•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Calling this sec-moderate if the DOS persists across restarts. If it's a
> startup DOS with no way to clear it short of hand-editing mailbox files we
> could call it sec-high.
In bug 1293245 comment 10 I provide expanded information about a crash I experienced while testing. I haven't yet been able to speak with the crashing users to confirm, but I think it is possible some users may repeatedly hang or crash on restart.
Assignee | ||
Comment 7•7 years ago
|
||
I believe the issue is around here: https://dxr.mozilla.org/comm-central/rev/bdfa5f49559ea2934ac930efd731ec5c5d5cc3ae/mailnews/mime/jsmime/jsmime.js#890 - but I could be wrong.
Flags: needinfo?(mkmelin+mozilla)
Assignee | ||
Comment 8•7 years ago
|
||
This seems to do it.
Try (still running): https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=3fba1aabcfda482850e3d791b1a54e8ba2452fb9
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #8953864 -
Flags: review?(Pidgeot18)
Assignee | ||
Comment 9•7 years ago
|
||
Test case. Just open this to hang.
Assignee | ||
Updated•7 years ago
|
Attachment #8953864 -
Flags: review?(jorgk)
Assignee | ||
Comment 10•7 years ago
|
||
The patch also fixes bug 1293245.
Updated•7 years ago
|
Attachment #8954903 -
Attachment mime type: message/rfc822 → text/plain
Comment 11•7 years ago
|
||
Comment on attachment 8953864 [details] [diff] [review]
bug1411720_malformed_header_hang.patch
Looks reasonable and passes all the tests, including the new ones ;-)
Thanks for taking this on and sorry about the delay in reviewing this.
Attachment #8953864 -
Flags: review?(jorgk)
Attachment #8953864 -
Flags: review?(Pidgeot18)
Attachment #8953864 -
Flags: review+
Comment 12•7 years ago
|
||
https://hg.mozilla.org/comm-central/rev/9d5235fbda18ee290a2731bb20126a6fda92452f
prevent hang with malformed headers. r=jorgk
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 60.0
Updated•7 years ago
|
Group: mail-core-security → core-security-release
Assignee | ||
Updated•7 years ago
|
Attachment #8953864 -
Flags: approval-comm-esr52?
Attachment #8953864 -
Flags: approval-comm-beta?
Updated•7 years ago
|
Attachment #8953864 -
Flags: approval-comm-esr52?
Attachment #8953864 -
Flags: approval-comm-esr52+
Attachment #8953864 -
Flags: approval-comm-beta?
Attachment #8953864 -
Flags: approval-comm-beta+
Comment 13•7 years ago
|
||
Comment on attachment 8953864 [details] [diff] [review]
bug1411720_malformed_header_hang.patch
Already landed on TB 60.
Attachment #8953864 -
Flags: approval-comm-beta+
Comment 14•7 years ago
|
||
TB 52.8 ESR:
https://hg.mozilla.org/releases/comm-esr52/rev/162f2e1f956d59f134d9bf4c7da5032ec0e837dc
status-thunderbird_esr52:
--- → fixed
tracking-thunderbird_esr52:
--- → 60+
Updated•7 years ago
|
Alias: CVE-2018-5161
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•