View Issue Details

IDProjectCategoryView StatusLast Update
0004745SOGoWeb Mailpublic2019-08-20 11:59
Reporterschmirl Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.0.7 
Fixed in Version4.1.0 
Summary0004745: Segfaults in S/MIME code
Description

I get a segfault when trying to open an encrypted mail in the WebUI which can't be decrypted with my key. Some functions in NSData+SMIME.m return an uninitialized pointer instead of NULL in case of an error. Patch attached.

Steps To Reproduce

Try to open an encrypted mail you have no key for.

Additional Information

The patch initializes "output" where it's defined.

In two functions, "output" had been initialized correctly several lines below its definition. I changed these, too. I think its clearer this way.

TagsNo tags attached.

Activities

schmirl

schmirl

2019-05-10 22:14

reporter  

SOGo-initialize_output.patch (1,397 bytes)   
--- SoObjects/Mailer/NSData+SMIME.m.orig	2019-05-10 23:32:24.492723698 +0200
+++ SoObjects/Mailer/NSData+SMIME.m	2019-05-10 23:38:46.928740089 +0200
@@ -47,7 +47,7 @@
 //
 - (NSData *) signUsingCertificateAndKey: (NSData *) theData
 {
-  NSData *output;
+  NSData *output = NULL;
 
   BIO *tbio = NULL, *sbio = NULL, *obio = NULL;
   X509 *scert = NULL;
@@ -65,7 +65,6 @@
   
   OpenSSL_add_all_algorithms();
   ERR_load_crypto_strings();
-  output = nil;
   
   bytes = [theData bytes];
   len = [theData length];
@@ -128,7 +127,7 @@
 //
 - (NSData *) encryptUsingCertificate: (NSData *) theData
 {
-  NSData *output;
+  NSData *output = NULL;
 
   BUF_MEM *bptr = NULL;
   BIO *tbio = NULL, *sbio = NULL, *obio = NULL;
@@ -215,7 +214,7 @@
 //
 - (NSData *) decryptUsingCertificate: (NSData *) theData
 {
-  NSData *output;
+  NSData *output = NULL;
 
   BIO *tbio, *sbio, *obio;
   BUF_MEM *bptr;
@@ -311,7 +310,7 @@
 //
 - (NSData *) convertPKCS12ToPEMUsingPassword: (NSString *) thePassword
 {
-  NSData *output;
+  NSData *output = NULL;
 
   BIO *ibio, *obio;
   EVP_PKEY *pkey;
@@ -326,7 +325,6 @@
 
   OpenSSL_add_all_algorithms();
   ERR_load_crypto_strings();
-  output = nil;
 
   bytes = [self bytes];
   len = [self length];
@@ -383,7 +381,7 @@
 //
 - (NSData *) signersFromPKCS7
 {
-  NSData *output;
+  NSData *output = NULL;
 
   STACK_OF(X509) *certs = NULL;
   BIO *ibio, *obio;
SOGo-initialize_output.patch (1,397 bytes)   
schmirl

schmirl

2019-08-20 08:56

reporter   ~0013703

My patch for opaque signed mails has been commited yesterday (0004582). My patch introduces another uninitialized pointer (patch was based on SOGo 4.0.6 - I copied parts from one of the functions which was vulnerable in 4.0.6). Patch attached.

schmirl

schmirl

2019-08-20 08:57

reporter  

initialize_output.diff (322 bytes)   
--- UIxMailPartEncryptedViewer.m.orig	2019-08-20 10:41:50.994186817 +0200
+++ UIxMailPartEncryptedViewer.m	2019-08-20 10:42:09.798051760 +0200
@@ -93,7 +93,7 @@
 
 - (NSData *) _processMessageWith: (NSData *) signedData
 {
-  NSData *output;
+  NSData *output = NULL;
 
   STACK_OF(X509) *certs;
   X509_STORE *x509Store;
initialize_output.diff (322 bytes)   
ludovic

ludovic

2019-08-20 11:59

administrator   ~0013704

Thanks I've pushed a fix.

Related Changesets

sogo: master 29f5357a

2019-05-23 09:21

ludovic


Details Diff
(fix) added safety checks in S/MIME (fixes 0004745) Affected Issues
0004745
mod - NEWS Diff File
mod - SoObjects/Mailer/NSData+SMIME.m Diff File

Issue History

Date Modified Username Field Change
2019-05-10 22:14 schmirl New Issue
2019-05-10 22:14 schmirl File Added: SOGo-initialize_output.patch
2019-05-23 13:25 ludovic Changeset attached => sogo master 29f5357a
2019-05-23 13:25 ludovic Assigned To => ludovic
2019-05-23 13:25 ludovic Resolution open => fixed
2019-05-23 13:25 ludovic Status new => resolved
2019-05-23 13:25 ludovic Fixed in Version => 4.0.8
2019-08-20 08:56 schmirl Note Added: 0013703
2019-08-20 08:56 schmirl Status resolved => feedback
2019-08-20 08:56 schmirl Resolution fixed => reopened
2019-08-20 08:57 schmirl File Added: initialize_output.diff
2019-08-20 11:59 ludovic Note Added: 0013704
2019-08-20 11:59 ludovic Status feedback => resolved
2019-08-20 11:59 ludovic Fixed in Version 4.0.8 => 4.1.0
2019-08-20 11:59 ludovic Resolution reopened => fixed