0004745: Segfaults in S/MIME code - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0004745	SOGo	Web Mail	public	2019-05-10 22:14	2019-08-20 11:59

Reporter	schmirl	Assigned To	ludovic
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	4.0.7
Fixed in Version	4.1.0

Summary	0004745: Segfaults in S/MIME code
Description	I get a segfault when trying to open an encrypted mail in the WebUI which can't be decrypted with my key. Some functions in NSData+SMIME.m return an uninitialized pointer instead of NULL in case of an error. Patch attached.
Steps To Reproduce	Try to open an encrypted mail you have no key for.
Additional Information	The patch initializes "output" where it's defined. In two functions, "output" had been initialized correctly several lines below its definition. I changed these, too. I think its clearer this way.
Tags	No tags attached.

schmirl 2019-05-10 22:14 reporter	SOGo-initialize_output.patch (1,397 bytes) --- SoObjects/Mailer/NSData+SMIME.m.orig 2019-05-10 23:32:24.492723698 +0200 +++ SoObjects/Mailer/NSData+SMIME.m 2019-05-10 23:38:46.928740089 +0200 @@ -47,7 +47,7 @@ // - (NSData ) signUsingCertificateAndKey: (NSData ) theData { - NSData output; + NSData output = NULL; BIO tbio = NULL, sbio = NULL, obio = NULL; X509 scert = NULL; @@ -65,7 +65,6 @@ OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); - output = nil; bytes = [theData bytes]; len = [theData length]; @@ -128,7 +127,7 @@ // - (NSData ) encryptUsingCertificate: (NSData ) theData { - NSData output; + NSData output = NULL; BUF_MEM bptr = NULL; BIO tbio = NULL, sbio = NULL, obio = NULL; @@ -215,7 +214,7 @@ // - (NSData ) decryptUsingCertificate: (NSData ) theData { - NSData output; + NSData output = NULL; BIO tbio, sbio, obio; BUF_MEM bptr; @@ -311,7 +310,7 @@ // - (NSData ) convertPKCS12ToPEMUsingPassword: (NSString ) thePassword { - NSData output; + NSData output = NULL; BIO ibio, obio; EVP_PKEY pkey; @@ -326,7 +325,6 @@ OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); - output = nil; bytes = [self bytes]; len = [self length]; @@ -383,7 +381,7 @@ // - (NSData ) signersFromPKCS7 { - NSData output; + NSData output = NULL; STACK_OF(X509) certs = NULL; BIO ibio, *obio; SOGo-initialize_output.patch (1,397 bytes)

schmirl 2019-08-20 08:56 reporter ~0013703	My patch for opaque signed mails has been commited yesterday (0004582). My patch introduces another uninitialized pointer (patch was based on SOGo 4.0.6 - I copied parts from one of the functions which was vulnerable in 4.0.6). Patch attached.

schmirl 2019-08-20 08:57 reporter	initialize_output.diff (322 bytes) --- UIxMailPartEncryptedViewer.m.orig 2019-08-20 10:41:50.994186817 +0200 +++ UIxMailPartEncryptedViewer.m 2019-08-20 10:42:09.798051760 +0200 @@ -93,7 +93,7 @@ - (NSData ) _processMessageWith: (NSData ) signedData { - NSData output; + NSData output = NULL; STACK_OF(X509) certs; X509_STORE x509Store; initialize_output.diff (322 bytes)

ludovic 2019-08-20 11:59 reporter ~0013704	Thanks I've pushed a fix.

Date Modified	Username	Field	Change
2019-05-10 22:14	schmirl	New Issue
2019-05-10 22:14	schmirl	File Added: SOGo-initialize_output.patch
2019-05-23 13:25	ludovic	Changeset attached	=> sogo master 29f5357a
2019-05-23 13:25	ludovic	Assigned To	=> ludovic
2019-05-23 13:25	ludovic	Resolution	open => fixed
2019-05-23 13:25	ludovic	Status	new => resolved
2019-05-23 13:25	ludovic	Fixed in Version	=> 4.0.8
2019-08-20 08:56	schmirl	Note Added: 0013703
2019-08-20 08:56	schmirl	Status	resolved => feedback
2019-08-20 08:56	schmirl	Resolution	fixed => reopened
2019-08-20 08:57	schmirl	File Added: initialize_output.diff
2019-08-20 11:59	ludovic	Note Added: 0013704
2019-08-20 11:59	ludovic	Status	feedback => resolved
2019-08-20 11:59	ludovic	Fixed in Version	4.0.8 => 4.1.0
2019-08-20 11:59	ludovic	Resolution	reopened => fixed