[Kolab-devel] Security Advisory 07 for Kolab Server
Bernhard Reiter
bernhard.reiter at intevation.de
Thu Dec 22 20:25:29 CET 2005
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 07 20051222
================================
Package: Kolab Server
Vulnerability: Some transported emails are modified, potentially
leading to broken email-signatures or attachments.
Kolab Specific: yes
Impact: low
Summary
- --------
If the Kolab Server transports an email bigger than 8 K Byte
and there is a dot (".") character at the wrong place,
kolabfilter will double this dot and a modified email will be delivered.
This can lead to broken email clear-text signatures or broken attachments.
Affected Versions
- -----------------
All Kolab Servers version 2 released to far, including 2.1 snapshots.
In particular versions 2.0.0 and 2.0.1 have this bug.
Fixes
- -----
Apply the patch below. E.g. with the command:
patch -i kolabmailtransport.diff /kolab/var/kolab/php/kolabfilter/kolabmailtransport.php
You can also get the patch from issue1042 of Kolab's tracker.
9bdd3f3e4964eb8e6099db8b22b8c238 kolabmailtransport.diff
+=== cut here ====
|diff -u -p -r1.3.2.1 kolabmailtransport.php
|--- kolabmailtransport.php 28 Jul 2005 02:20:36 -0000 1.3.2.1
|+++ kolabmailtransport.php 22 Dec 2005 17:44:38 -0000
|@@ -32,6 +32,7 @@ class KolabMailTransport {
| function start($sender,$recips) {
| $this->createTransport();
| $myclass = get_class($this->transport);
|+ $this->got_newline = false;
|
| if (!$this->transport) {
| return new PEAR_Error('Failed to connect to $myclass: ' . $error->getMessage(), 421);
|@@ -99,8 +100,10 @@ class KolabMailTransport {
| * Because a single leading period (.) signifies an end to the data,
| * legitimate leading periods need to be "doubled" (e.g. '..').
| */
|- if( $data[0] == '.' ) $data = '.'.$data;
|+ if( $this->got_newline && $data[0] == '.' ) $data = '.'.$data;
| $data = str_replace("\n.", "\n..", $data);
|+ if( $data[count($data)] == "\n" ) $this->got_newline = true;
|+ else $this->got_newline = false;
| }
|
| function data( $data) {
|@@ -126,6 +129,7 @@ class KolabMailTransport {
| var $host;
| var $port;
| var $transport;
|+ var $got_newline;
| };
|
| class KolabLMTP extends KolabMailTransport {
+=== cut here ====
Timeline
- --------
20051222 Bug report came in. Reproduced and fixed the bug. Advisory Published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD4DBQFDqvxZh9ag3dpKERYRAnilAKDP4ysnWU3pi4WLMaGfD8J6SspOfACYnniX
OV/nQeosx/b9SJZWb5TSKw==
=i8mz
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20051222/72701bd1/attachment.sig>
More information about the devel
mailing list