307084 - Loading mail message kills X

Status: RESOLVED WORKSFORME

(SeaMonkey :: MailNews: Message Display, defect)

Description

[Larry Brunelle]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:7.1.3) Gecko/20030726 Netscape7/7.1
Build Identifier: mozilla-i686-pc-linux-gnu-1.7.11-installer.tar.gz  mozilla-i686-pc-linux-gnu-1.7.11-installer.tar.gz

Messages on a Mac technical forum have been posted containing
a binary string as text within the message as part of the forum's
communications (that is, this is not malicious code).  Merely 
clicking on the message subject in the mailbox summary (which,
of course, loads it) crashes not merely the application, but
X as well.  Really potent!  If I manage to select the message
within a group of several, I can drag the group to another 
mailbox.  

There is, of course, no way to identify an affected message
before attempting to read (load) it.  And most messages,
of course, don't have the problem.

I suppose the means by which this occurs could be copied
and misused as anti-Mozilla/anti-Linux malware.  MAYBE
that makes it a security issue, dunno.

I wish to send you a small mailbox file including several
examples, but don't see any place on this form to attach.
You may email me with handling instructions to get this
to you.


Reproducible: Always

Steps to Reproduce:
1. Load an affected message
2.
3.

Actual Results:  
X crashed.

Expected Results:  
Not crash.

Comment 1

[Daniel Veditz [:dveditz]]

You can add files using the "Create a New Attachment" link. It's not available
during the initial bug creation, but you can add the testcases now. If they're
large please zip/tar.gz them.

What build are you reporting this against? The "Build Identifier" says you're
using a linux 1.7.11 suite build, the User-Agent says an old windows netscape
7.1 (though the "rv:" portion appears bogus, so probably spoofed). What version
of X and Linux are you running?

Comment 2

[Larry Brunelle]

Attachment: Small mailbox with several examples of the problem

This mailbox file should have several examples of messages containing 
the problem binary string.  (Also had to include some non-problem messages 
in the drag-and-drop, as the first message you point at loads.)
I can view the "icky" string OK in Xemacs, but by no means with Mozilla.

Therefore, I construe that Mozilla is in some way trying to execute the
string or cause it to be executed.  After X crashes, the console reports
some number of attempts to do something with fd0, which is fairly insane.
I could see real potential for use of such behavior in a DoS attack.

I'm running Fedora Core 2, Mozilla 1.7.11 (downloaded within the last week
and replaceing 1.7.7), and had at the time a user-agent override string 
for the purpose of trying to view some "IE-enhanced" websites.	 

Please let me know if there remains something helpful for me to do.

Thanks!

Comment 3

[Daniel Veditz [:dveditz]]

From email he's got
X Protocol Version 11, Revision 0, Release 6.7
Build Operating System: Linux 2.4.21-25.ELsmp i686 [ELF]
Current Operating System: Linux gideon.home.net 2.6.10-1.9_FC2 #1 Thu Jan 13
17:54:57 EST 2005 i686

I suspect this is in the common rendering code. David or Asa, could you try this
in Thunderbird on X, preferably a system similar to the one described (Fedora
Core 2) if we have it? Just copy the attachment to your mail Local Files and
it'll appear as new folder.

Comment 4

[Asa Dotzler [:asa]]

I cannot reproduce with the latest 1.5 beta 1 build on FC4.