reconstruct fails when some control characters are stored in a mail

Jens Erat jens.erat at uni-konstanz.de
Tue Jan 12 09:12:04 EST 2016 

Hi all,

While analyzing some issue with the SOGo groupware, I also realized
reconstruct is behaving in a weird way. SOGo had problems with some mail
containing a vertical tab in the subject line, so I started messing
around with that line to create some minimal example for a bug report.

When I modified the mail on the server (for example, stripping the mail
to a reduced version with less meta data and content) and ran
reconstruct, the changed mail was correctly identified and the folder
was repaired:

$ reconstruct -r -R -f user.foo.TestControlCode
user.foo.TestControlCode uid 6 not found
user.foo.TestControlCode uid 7 found - adding
user.foo.TestControlCode

If I introduced some other characters (I tried the null byte and the EOT
control character), reconstruct does not realize those changes occured:

$ reconstruct -r -R -f user.foo.TestControlCode
user.foo.TestControlCode
$ echo $?
0

It did not crash, it did not return an error message, it just exited.
Sending such an e-mail through SMTP worked fine, so at least I was not
able to crash the IMAP server (or get any other undesired behavior) with
such a command. After changing the control character back to a vertical
tab and/or moving it to another location, the changes were recognized again.

I'm still not sure whether this could also affect other parts/tools,
maybe even stuff like quota calculation, and whether this might also
affect some control flows in a way that could be used to exploit/stall
the IMAP system.

We're running Cyrus IMAP 2.5.6 on Oracle Solaris 11; I guess that this
will also affect other systems. An example mail is included as an
attachment.

Kind regards from Lake Constance, Germany,
Jens Erat

-- 
Jens Erat
Universität Konstanz
Kommunikations-, Infomations-, Medienzentrum (KIM)
Abteilung Basisdienste
D-78457 Konstanz
Mail: jens.erat at uni-konstanz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Subject withcontrol character.eml
Type: application/x-extension-eml
Size: 392 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20160112/6a5e1eb2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4913 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20160112/6a5e1eb2/attachment.p7s>

More information about the Cyrus-devel mailing list