Last Comment Bug 319055 - Mail::Mailer truncates messages at a line with a period when using sendmail
: Mail::Mailer truncates messages at a line with a period when using sendmail
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Email Notifications (show other bugs)
: 2.20
: All All
: -- major (vote)
: Bugzilla 2.20
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
: 333774 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-04 11:23 PST by Frédéric Buclin
Modified: 2007-02-13 18:32 PST (History)
8 users (show)
justdave: approval+
justdave: blocking2.22+
justdave: approval2.20+
justdave: blocking2.20.1+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (588 bytes, patch)
2005-12-04 12:30 PST, Frédéric Buclin
justdave: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2005-12-04 11:23:29 PST
Lines containing a single dot "." are indicating the end of the message. The remaining part of the message could be arbitrarily executed by the SMTP server.

<justdave> I'd venture to call that a security bug
<justdave> because you can embed SMTP commands in an email and make it do weird things
<LpSolit> wicked, justdave: where is going the remaining part of the email?
<wicked> LpSolit: to the SMTP server for execution if justdave is right
<justdave> LpSolit: depends on the transport mechanism, which is controlled by Mail::Mailer (which is why it's Mail::Mailer's bug and not ours)
<justdave> if the transport is SMTP, it'd be going into the SMTP stream
<justdave> iow, interpreted as commands since the . terminates the DATA phase
<LpSolit> justdave: what nasty things could be done? something dangerous?
<justdave> send mail to arbitrary people and make it look like it came from Bugzilla's server


.

THIS PART OF THE COMMENT HAS NOT BEEN SENT!!!
(ARBITRARY CODE HERE)
Comment 1 Dave Miller [:justdave] (justdave@bugzilla.org) 2005-12-04 11:31:28 PST
OK, upon further investigation, Mail::Mailer does indeed do the correct thing with SMTP mail_delivery_method, escaping the period so it goes through.  However, it's failing to set -i on the command line when it calls sendmail, so the sendmail method is truncating the comments at the period.

This makes it no longer a security bug, but the severity can stay, because it's still dataloss.  Just to make it clear, this is a bug in Mail::Mailer, not in Bugzilla.  Does someone know where to submit bugs for that?  The patch to fix should be easy, just add -i to the command line for sendmail.
Comment 2 Joel Peshkin 2005-12-04 11:39:25 PST
There is a mechanism that lets you add arbitrary arguments to the senamil call...

   push @args, '-rsourceaddress@mydomain.com';

for example...
Comment 3 Zach Lipton [:zach] 2005-12-04 11:40:25 PST
Mail::Mailer is maintained by Mark Overmeer <mailtools@overmeer.net>. Probably the best thing to do would be to email him with a bug report. 
Comment 4 Dave Miller [:justdave] (justdave@bugzilla.org) 2005-12-04 11:45:53 PST
BTW, resolution of this bug as far as Bugzilla is concerned is bumping the minimum required version of Mail::Mailer to the next release including a fix for this.  2.20 is already out with this, so we shouldn't block a release waiting for it.  We can backport the additional requirement to the branches once the fixed version is available though.  We should relnote it regardless.
Comment 5 Frédéric Buclin 2005-12-04 11:49:54 PST
(In reply to comment #3)
> Mail::Mailer is maintained by Mark Overmeer <mailtools@overmeer.net>. Probably
> the best thing to do would be to email him with a bug report. 

Who volounteers to send him an email? justdave, zach?
Comment 6 Frédéric Buclin 2005-12-04 12:30:36 PST
Created attachment 204968 [details] [diff] [review]
patch, v1

This fixes the problem on landfill...
Comment 7 Max Kanat-Alexander 2005-12-04 14:22:28 PST
I believe that glob is our Mail::Mailer expert. Any replies to comment 1? :-)
Comment 8 Byron Jones ‹:glob› [PTO until 2017-01-09] 2005-12-04 18:16:43 PST
(In reply to comment #7)
> I believe that glob is our Mail::Mailer expert. Any replies to comment 1? :-)

mark was responsive when i emailed him regarding the issues i found when doing the utf-8 patch.
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2005-12-05 07:42:07 PST
I still think Mail::Mailer should be insulating us from this, but this is definitely a good workaround for it (and because of how Mail::Mailer does work, this probably won't break once it's fixed, and it lets us support older versions of Mail::Mailer still).
Comment 10 Frédéric Buclin 2005-12-05 08:19:24 PST
tip:

Checking in Bugzilla/BugMail.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/BugMail.pm,v  <--  BugMail.pm
new revision: 1.57; previous revision: 1.56
done

2.20:

Checking in Bugzilla/BugMail.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/BugMail.pm,v  <--  BugMail.pm
new revision: 1.39.4.4; previous revision: 1.39.4.3
done
Comment 11 Frédéric Buclin 2006-04-12 15:20:54 PDT
*** Bug 333774 has been marked as a duplicate of this bug. ***
Comment 12 Olav Vitters 2006-08-31 22:49:00 PDT
*** Bug 350972 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.