Security Advisory 07 for Kolab Server

Bernhard Reiter bernhard.reiter at intevation.de
Thu Dec 22 20:25:29 CET 2005


-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 07 20051222
================================

Package:              Kolab Server
Vulnerability:        Some transported emails are modified, potentially 
		      leading to broken email-signatures or attachments.
Kolab Specific:       yes
Impact:               low


Summary
- --------

If the Kolab Server transports an email bigger than 8 K Byte
and there is a dot (".") character at the wrong place, 
kolabfilter will double this dot and a modified email will be delivered.
This can lead to broken email clear-text signatures or broken attachments.


Affected Versions
- -----------------

All Kolab Servers version 2 released to far, including 2.1 snapshots.
In particular versions 2.0.0 and 2.0.1 have this bug.

Fixes
- -----

Apply the patch below.  E.g. with the command:
	patch -i kolabmailtransport.diff /kolab/var/kolab/php/kolabfilter/kolabmailtransport.php

You can also get the patch from issue1042 of Kolab's tracker.
9bdd3f3e4964eb8e6099db8b22b8c238  kolabmailtransport.diff

+=== cut here ====
|diff -u -p -r1.3.2.1 kolabmailtransport.php
|--- kolabmailtransport.php	28 Jul 2005 02:20:36 -0000	1.3.2.1
|+++ kolabmailtransport.php	22 Dec 2005 17:44:38 -0000
|@@ -32,6 +32,7 @@ class KolabMailTransport {
|   function start($sender,$recips) {
|     $this->createTransport();
|     $myclass = get_class($this->transport);
|+    $this->got_newline = false;
| 
|     if (!$this->transport) {
|       return new PEAR_Error('Failed to connect to $myclass: ' . $error->getMessage(), 421);
|@@ -99,8 +100,10 @@ class KolabMailTransport {
|      * Because a single leading period (.) signifies an end to the data,
|      * legitimate leading periods need to be "doubled" (e.g. '..').
|      */
|-    if( $data[0] == '.' ) $data = '.'.$data;
|+    if( $this->got_newline && $data[0] == '.' ) $data = '.'.$data;
|     $data = str_replace("\n.", "\n..", $data);
|+    if( $data[count($data)] == "\n" ) $this->got_newline = true;
|+    else $this->got_newline = false;
|   }
| 
|   function data( $data) {
|@@ -126,6 +129,7 @@ class KolabMailTransport {
|   var $host;
|   var $port;
|   var $transport;
|+  var $got_newline;
| };
| 
| class KolabLMTP extends KolabMailTransport {
+=== cut here ====

Timeline
- --------
20051222 Bug report came in. Reproduced and fixed the bug. Advisory Published.
    	     
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD4DBQFDqvxZh9ag3dpKERYRAnilAKDP4ysnWU3pi4WLMaGfD8J6SspOfACYnniX
OV/nQeosx/b9SJZWb5TSKw==
=i8mz
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20051222/72701bd1/attachment.sig>


More information about the users mailing list