304247 - TB Header Tools Extension adds junk to end of header when using "Change Header Details" feature

Status: RESOLVED INVALID

(Thunderbird :: Mail Window Front End, defect)

Description

[Ev Senter]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

I added the add-on from Mozilla downloads several months ago and have been
changing Header lines on email for months. One day I noticed that a long string
of junk characters had been added on to the revised Header lines. It was my
opinion at that time that it only occurred at times when I had a lot of windows
open and minimized. That may be true. In any case when I updated Thunderbird I
thought it would be fixed. It may have been, briefly, or maybe I did not have
enough windows open after the fix to cause the problem. But today, with lots of
windows open, mostly in Firefox (seven windows in one, plus one in a second
window) but also 5 in Notepad, 2 in Word, 1 each in Xcel, Calculator and Windows
Explorer, it happened again for the first time in 1-3 weeks (since the update).
I tried the "Change Header Details" twice and it happened both times. The first
two and last three characters (b= and = ;)were the same, but in between they
were random looking. It looks like I imagine a "buffer over run might. Here is a
copy of the first one (none of it looks like anything I ever typed in my life):
 b=r4BiN3AyIn3ENJu8mysfc8EUhkKfS7gOwVPuVb8u6Nh54n5qBdcp/wW7BbDemwzitlp0793J/cyi+QexfLI5D0YH1u++oF2feEcYFJv5EnW3ElOnJVERO2B5C7bSa9IZz8/du/b+Yl+wIWVdQga4Aq3+tXqjDW/DrEBMP3R73Qo=
 ;
This is only a major problem if it is a security risk. I don't know much about
that, but "buffer over runs" are mentioned as security risks often at MSN.
I can reproduce this now with all these windows open, but I'm not sure it will
be reproducible after I shut down and restart before opening so many windows.
For what it is worth, I have about 375MB of random memory (250MB added to orig).
I'll watch that and if you ask me I'll try it and see. Otherwise this is the
last you will hear from me about this.

Reproducible: Always

Steps to Reproduce:
1. Open lots of windows as stated above.
2. Use the "Change Header Details" in "Tools" (an add-on feature from Mozilla)
3. Mouse over the changed email header and notice the junk added to end of header

Actual Results:  
As reported, it added junk again, with the same beginning and ending  and random
junk in between.

Expected Results:  
Add only what I have intended and typed.

Comment 1

[Jesse Ruderman]

What extension are you using?  Where can I download it?  Have you tried
contacting the author of the extension?

Comment 2

[Jesse Ruderman]

Ev replied to me by email, saying that the extension is "TB Header Tools
Extension", which can be downloaded from
https://addons.mozilla.org/extensions/moreinfo.php?application=thunderbird&id=875

Ev, you said "I have not contacted the author, especially since this is a
potential security hazard."  Do you mean that you think this is a security hole
in Thunderbird rather than in the extension?

Comment 3

[Ev Senter]

To all who are following this potential security risk:

This morning my PC had been automatically updated by Windows (some security
update had been performed) and automatically re-booted. I opened Thunderbird,
read some email, one of which was about this subject risk from jruderman. I used
the TB [Change] Header [Details] Tool to change the subject line of his email
and no additional garbage was added to the header at the end. It is possible
that the security hole, if it ever existed, has been repaired by Windows Update.
However, when I open lots of windows later today, if the junk starts getting
added again, I'll advise you anew.

Dear Jesse Ruderman:

Regarding why I have not contacted the author about this:

I don't know whether this is truly a security problem or not, and if it is, I
don't know whether or not it is to be considered a Windows, a Thunderbird, or
just an "extension threat." What I do know is that many security threats seem to
have involved "buffer overrun" in Windows, and this looks like a possible
"buffer overrun" error to me, a layman. If by addiing on this extension, which a
person can get by way of the Mozilla/Thunderbird website, a security threat can
be engendered, it seems to me that it becomes a Windows or Mozilla/Thunderbird
concern. I'll leave that to your judgment, but that is mine. If I deleted the
extension, it is possible that this possible security hole might not show up for
me. I can't say that some other author might not inadvertently expose this
possible security hole that might be able to be fixed by Mozilla or Windows now.
So I think it wise to look closely at it. But I don't know how to do that. I
frankly did not think of contacting the author. I am not saying that is a bad
idea. You might have a way of communicating with the author by secure means, but
I don't, as far as I know. And I don't know if the author is trained in this
kind of security matter. (What may be needed is to plug something to make it
impossible for an author to make this mistake). Please feel free to contact the
author if it might be of help. But don't overlook the security question: did the
author possibly supply something that the author could later exploit?

Comment 4

[Jesse Ruderman]

Add Frank (author of TB Header Tools Extension) to the CC list so he can see
this bug report.

Comment 5

[Frank]

Interesting to say the least !

Could you possibly 'View Source' ( ctrl-U ) on the message that you saw this
'buffer overrun' on please ?

I am assuming the message itself had that string of characters as a header.. 

If anyone else sees this, is that string of chars some kind of encoding scheme ?
(if it is, I don't recognize it )

Questions for Ev,
Which header was it ?

Can you zip up that message and post it here as an attachment ?  ( you can strip
off personal info if you must but I would rather see the message as
TB+HeaderTools sees it )

Just FYI.. HeaderTools does nothing more than read in the message source, parse
for each header/value pair an populate textboxes with the value data...  It DOES
NOT parse each header's value data at all.

Comment 6

[Ev Senter]

Frank asks: 
Could you possibly 'View Source' ( ctrl-U ) on the message that you saw this
'buffer overrun' on please ? .... Can you zip up that message and post it here
as an attachment ?  ( you can stripoff personal info if you must but I would
rather see the message as TB+HeaderTools sees it )
I have copied the "view source" from the beginning to the salutation (I don't
know if I have zip software or not) and will paste it immediatly below. Let me
know if you need the contents (text after salutation) as well.

From - Tue Aug 09 10:36:51 2005
X-Account-Key: account2
X-UIDL: 962-1113555249
X-Mozilla-Status: 0003
X-Mozilla-Status2: 00000000
Received: from web31012.mail.mud.yahoo.com ([172.18.12.134])
 by vms041.mailsrvcs.net
 (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004))
 with ESMTP id <0IKZ00LPL2KFL1M3@vms041.mailsrvcs.net> for
 ev.senter@verizon.net; Tue, 09 Aug 2005 15:36:15 -0500 (CDT)
Received: from web31012.mail.mud.yahoo.com (68.142.201.70)
 by sv4pub.verizon.net (MailPass SMTP server v1.2.0 - 013105113116JY+PrW)
 with  SMTP id <2-19172-132-19172-485566-1-1123619775> for
 vms041pub.verizon.net; Tue, 09 Aug 2005 15:36:15 -0500
Received: (qmail 33179 invoked by uid 60001); Tue, 09 Aug 2005 20:36:15 +0000
Received: from [24.151.240.165] by web31012.mail.mud.yahoo.com via HTTP; Tue,
 09 Aug 2005 13:36:15 -0700 (PDT)
Date: Tue, 09 Aug 2005 13:36:15 -0700 (PDT)
From: Century Square <centurysquareapts@yahoo.com>
Subject: Race [income, Marisa's move, tenant debt]
To: Ev Senter <ev.senter@verizon.net>
Message-id: <20050809203615.33177.qmail@web31012.mail.mud.yahoo.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="0-286384906-1123619775=:29635"
Content-transfer-encoding: 8bit
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;  s=s1024; d=yahoo.com;
Subject: Race [income, Marisa's move, tenant debt]
 b=r4BiN3AyIn3ENJu8mysfc8EUhkKfS7gOwVPuVb8u6Nh54n5qBdcp/wW7BbDemwzitlp0793J/cyi+QexfLI5D0YH1u++oF2feEcYFJv5EnW3ElOnJVERO2B5C7bSa9IZz8/du/b+Yl+wIWVdQga4Aq3+tXqjDW/DrEBMP3R73Qo=
 ;
X-NAS-Language: English
X-NAS-Bayes: #0: 0; #1: 1
X-NAS-Classification: 0
X-NAS-MessageID: 2467
X-NAS-Validation: {5F115F17-AB80-4F45-9A04-8CE5A9F895BB}

--0-286384906-1123619775=:29635
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi, Ev,
 

Comment 7

[Ev Senter]

This is not a currently happening bug. It stopped 8/13/05 after an automatic
windows security update and automatic reboot. I now have a lot of windows open
and it is not happening anyway. It may be resolved. Ev

Comment 8

[Ev Senter]

Frank, it may help you to know, other messages I reviewed just now with "view
source" had only one Subject line. But the one I posted herein had two subject
lines, and the second one had a line following it with the junk. That junk
appeared to be part of the header when I moused over it in TB, but in View
Source it is a second line.  Ev Senter

Comment 9

[Ev Senter]

This problem (adding "junk" characters to the header when using the "Change
Header Details" tool) happened again this morning, but only once, and on the
next use of the "Change Header Details" tool it did not happen again. Note that
other problems seem to have happened as well, as follows: 1) prior to the error
there was a long hourglass or wait symbol, possibly associated with prior use of
the tool; 2)prior to the error I seem to have "lost" an email whose header I
changed, plus one whose header I did not change. Both of these "lost" emails
were found in the "Trash" folder when I looked for them. One of those in the
"Trash" was one I had not changed the header on, and the other was one I did
change the header on, but in the "Trash" the header had not been changed. Since
I have only tried one more use of the tool and it worked without error, I am
assuming the problem is either fixed again or not a continuous problem. I will
report the next occurrence that I notice, but meantime assume it to be fixed
again. At this time I have not re-booted for several days, and I have many
windows open. So forget my earlier theory that re-boot or automatically
distributed Microsoft security patches cured the problem. To get rid of the
hourglass, sometimes (but maybe not always) clicking on another folder in
Thunderbird will do it (I click on the "Sent" folder, usually).

Comment 10

[Ev Senter]

It happened again, once, this morning. I think it was as follows: I did one
"Change Header Details" action and it resulted in the hourglass wait symbol.
Then I did another one, and that one disappeared afterwards. A copy was in the
trash with no header change, and so was the other one that had produced the
hourglass. When I retrieved the missing one and moved it to the inbox and did a
second "Change Header Details" it did the change but appended the junk characters.

For the developer of this tool: Is it part of the tool's function to file an
unchanged copy in the trash when the "Change Header Details" tool is finished?

Comment 11

[Daniel Veditz [:dveditz]]

That long b=<garbage> string is part of the Domainkey-Signature: header, or at least is supposed to be.

There's no random memory munging going on here, so no security issue. There may be an issue with Header-tools munging Domainkey headers (which can be multiple lines -- maybe header tools is not taking multi-line headers into account).

Frank can file a bug at http://headertools.mozdev.org/ if he likes, I'm closing this one as not a Thunderbird problem.

Comment 12

[Frank]

Daniel is right.. Its not a Thunderbird issue at all..

It was, in fact, an issue with HeaderTools being able to deal with multi-line headers..  The newest versions of HeaderTools appears to have sorted these ( and other ) issues out..

Please see this thread
http://forums.mozillazine.org/viewtopic.php?t=279907

Cheers