Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251026083033.623f1f4b@hboeck.de>
Date: Sun, 26 Oct 2025 08:30:33 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: OOB read / segfault and endless loop in courier mail server 1.5.0

Hi,

I have recently reported two issues in the courier mail server's MIME
parsing. The parser code is also used by courier-imap, sqwebmail,
maildrop, and cone.

Malformed inputs can crash or cause an endless loop. In my tests, both
issues only affected courier 1.5.0, 1.4.x versions are unaffected.
Version 1.5.1 contains a fix.

These issues can be triggered by passing the base64-encoded samples
below to the reformime commandline tool:
reformime -r < [poc]

Segfault / OOB read in rfc822::address::unicode_name:
TWltZS1WZXJzaW9uOjEuCkNvbnRlbnQtVHlwZTptdWx0aXBhcnQ7Ym91bmRhcnk9PQoKLS09CkZy
b206MFw9Pzw=

Endless loop / hang:
Q29udGVudC1UeXBlOiCAAA==

I have not tested whether it is possible to trigger these remotely via
SMTP or IMAP.

I had reported this to courier developer Sam Varshavchik on 2025-10-23.
Fixed versions of courier and the other affected packages were released
on the same day [1].



[1] https://sourceforge.net/p/courier/mailman/message/59250695/
-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.