heap overflow when canceling usenet message in nsNNTPProtocol::DoCancel()

RESOLVED FIXED in Thunderbird 3

Status

Thunderbird
Security
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Assigned: jcranmer)

Tracking

({fixed1.8.1.17})

Trunk
Thunderbird 3
x86
Linux
fixed1.8.1.17
Bug Flags:
blocking-thunderbird3.0a1 +
blocking1.8.1.15 -
blocking1.8.1.17 +
wanted1.8.1.x +
blocking1.8.0.next +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments)

this is not trivial to reproduce, but seems wrong by inspection:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/news/src/nsNNTPProtocol.cpp&rev=1.396
4255 mscott       1.1     L = PL_strlen (id);
...
4258                      other_random_headers = (char *) PR_Malloc (L + 20);
...
4339                      PL_strcpy (other_random_headers, "Control: cancel ");
4340                      PL_strcat (other_random_headers, id);
4341                      PL_strcat (other_random_headers, CRLF);

4342 sspitzer     1.73    if (distribution) {

4343 bienvenu     1.348     PL_strcat (other_random_headers, "Distribution: ");

4344 scott        1.386     PL_strcat (other_random_headers, distribution);
4345                        PL_strcat (other_random_headers, CRLF);


so |other_random_headers| is allocated strlen(id) + 20.
later |id| + stuff is copied.

later |distribition| may be appended yet distribution doesn't contribute to
the allocation size and this may lead to overflow.

even "Control: cancel Distribution: " is longer than 20
(Reporter)

Updated

10 years ago
Whiteboard: [sg:investigate]
this is a real classical overflow.

debugging is consistent with comment #0.
the crash is scary:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000598174 in XPCWrappedNative::HasProto (this=0x5353535353535353)
    at /opt/joro/thunderbird-cvs/mozilla/js/src/xpconnect/src/xpcprivate.h:2124
2124        HasProto() const {return !IsTaggedScope(mMaybeScope);}


i reproduced it this way:
set up nntp server (not very trivial).
post a message.
on the server edit the message adding header:
Distributions: 1024chars

cancel the message and watch the crash.

potential exploit scenario is spoofing user's email, sending a nasty message with the header, wait for the user to cancel the message.
not sure [sg:medium?] or [sg:high?]
Whiteboard: [sg:investigate] → [sg:medium?] [sg:high?]
(Reporter)

Updated

10 years ago
Summary: potential heap overflow in nsNNTPProtocol::DoCancel() → heap overflow when canceling usenet message in nsNNTPProtocol::DoCancel()
more ancient mailnews strcpy/strcat abuse.
Assignee: dveditz → dmose
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Flags: blocking-thunderbird3?
Whiteboard: [sg:medium?] [sg:high?] → [sg:critical?]

Comment 4

10 years ago
dveditz: why shouldn't this block 1.8.0.14?

Comment 5

10 years ago
ss explained to me in more details how the branches are generally run, so I withdraw the question here.  Thanks, ss!

Comment 6

10 years ago
Reassigning to our NNTP guru.
Assignee: dmose → Pidgeot18

Comment 7

10 years ago
We want to protect our alpha/beta users as much as we reasonably can; marking blocking-thunderbird3.0a1+
Flags: blocking-thunderbird3? → blocking-thunderbird3.0a1+
(Assignee)

Comment 8

10 years ago
Created attachment 315684 [details] [diff] [review]
Patch

This patch turns the other_random_headers into an nsCAutoString.
Attachment #315684 - Flags: superreview?(bienvenu)
Attachment #315684 - Flags: review?(bienvenu)

Comment 9

10 years ago
Comment on attachment 315684 [details] [diff] [review]
Patch

thx, Joshua
Attachment #315684 - Flags: superreview?(bienvenu)
Attachment #315684 - Flags: superreview+
Attachment #315684 - Flags: review?(bienvenu)
Attachment #315684 - Flags: review+
(Assignee)

Updated

10 years ago
Status: NEW → ASSIGNED
Keywords: checkin-needed

Updated

10 years ago
Keywords: checkin-needed
(Assignee)

Comment 10

10 years ago
Checked in by timeless:

/cvsroot/mozilla/mailnews/news/src/nsNNTPProtocol.cpp,v <-- nsNNTPProtocol.cpp
new revision: 1.398; previous revision: 1.397
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 3
why not change all pl_strcat and pl_strcpy in mailnews/ ?

according to grep:
mozilla/mailnews$ grep -rniI 'pl_strcpy' * | wc -l
38
mozilla/mailnews$ grep -rniI 'pl_strcat' * | wc -l
80

these numbers seem doable
Flags: blocking1.8.1.15? → blocking1.8.1.15+
Joshua, can you see if this patch applies cleanly to branch, and, if so, request 1.8.1.15 approval?
Whiteboard: [sg:critical?] → [sg:critical?][needs branch patch]
We're freezing tonight at 11:59pm PDT. Joshua, are you going to be able to get to a branch patch for this? (Or testing the trunk one to see if it applies...)
Guess it's getting too late to continue "blocking" on this for the next Thunderbird update. If a branch patch gets written and reviewed today ping drivers on IRC for approval otherwise "next time".
Flags: blocking1.8.1.16?
Flags: blocking1.8.1.15-
Flags: blocking1.8.1.15+
Flags: blocking1.8.1.17? → blocking1.8.1.17+
Any update on a branch patch for this bug?
(Assignee)

Comment 16

9 years ago
Created attachment 334030 [details] [diff] [review]
Branch patch

Branch version.
Attachment #334030 - Flags: superreview?(bienvenu)
Attachment #334030 - Flags: review?(bienvenu)
Attachment #334030 - Flags: approval1.8.1.17?

Updated

9 years ago
Attachment #334030 - Flags: superreview?(bienvenu)
Attachment #334030 - Flags: superreview+
Attachment #334030 - Flags: review?(bienvenu)
Attachment #334030 - Flags: review+

Comment 17

9 years ago
marking checkin-needed for branch patch
Keywords: checkin-needed
Whiteboard: [sg:critical?][needs branch patch] → [sg:critical?]

Updated

9 years ago
Attachment #334030 - Flags: approval1.8.1.17? → approval1.8.1.17+
(Assignee)

Comment 18

9 years ago
/cvsroot/mozilla/mailnews/news/src/nsNNTPProtocol.cpp,v  <--  nsNNTPProtocol.cpp
new revision: 1.373.2.3; previous revision: 1.373.2.2
done

Checked in on branch
Keywords: checkin-needed → fixed1.8.1.17

Comment 19

9 years ago
Comment on attachment 334030 [details] [diff] [review]
Branch patch

a=asac for 1.8.0.15
Attachment #334030 - Flags: approval1.8.0.15+

Updated

9 years ago
Flags: blocking1.8.0.15+
Group: core-security
You need to log in before you can comment on or make changes to this bug.