Bug 1174630 (CVE-2020-16094) - VUL-1: CVE-2020-16094: claws-mail: a malicious IMAP server can trigger stack consumption because of unlimited recursion into subdirectories during a rebuild of the folder tree
Summary: VUL-1: CVE-2020-16094: claws-mail: a malicious IMAP server can trigger stack ...
Status: RESOLVED FIXED
Alias: CVE-2020-16094
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.1
Hardware: Other Other
: P4 - Low : Minor (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/264428/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-29 07:21 UTC by Wolfgang Frisch
Modified: 2024-07-04 07:35 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-07-29 07:21:47 UTC 
CVE-2020-16094

In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP
server can trigger stack consumption because of unlimited recursion into
subdirectories during a rebuild of the folder tree.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16094
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-16094.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16094
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313
Comment 1 Wolfgang Frisch 2020-07-29 07:28:28 UTC 
The PoC reproducibly crashes claws-mail on openSUSE Tumbleweed.
Comment 3 Jean Delvare 2020-07-29 13:20:41 UTC 
There doesn't seem to be a fix available from upstream yet.
Comment 4 Michael Vetter 2020-07-29 13:57:38 UTC 
> There doesn't seem to be a fix available from upstream yet.

At least their bugzilla doesn't have any comment.

I contacted usptream this morning whether someone is already working on this but didn't get a reply yet.
Comment 5 Jean Delvare 2020-07-31 08:56:04 UTC 
By the way, I can't really see how this qualifies as a security bug. You don't connect to random IMAP servers like you do with web servers. You get to trust your email service provider to some degree, and the chances that an email service provider would purposely crash their user's MUA are rather low in my opinion. The only scenario I can think of is if the IMAP server itself has been compromised. But then you have a much more serious problem than this bug.

So the low severity looks completely appropriate to me. I'm just not sure why this bug was given a CVE number in the first place.
Comment 6 Adam Majer 2020-07-31 12:59:06 UTC 
(In reply to Jean Delvare from comment #5)
> So the low severity looks completely appropriate to me. I'm just not sure
> why this bug was given a CVE number in the first place.

Any program should not blindly trust another network resource, even if trusted. These types of exploits is how you go from one machine to another in an exploit chain.

As commented in upstream bugzilla entry, something like 500 should be more than enough for directory depth, perhaps less.
Comment 7 Jean Delvare 2021-01-04 10:34:25 UTC 
Michael, did you ever get a reply?
Comment 8 Michael Vetter 2021-01-04 11:46:57 UTC 
(In reply to Jean Delvare from comment #7)
> Michael, did you ever get a reply?

Unfortunately not :(
Comment 10 Jean Delvare 2023-01-13 11:14:00 UTC 
Upstream bugzilla was updated meanwhile. This bug is fixed in version 3.17.7, by this commit:

https://git.claws-mail.org/?p=claws.git;a=commit;h=3acca60b6efd93f23607754305a9810b56b44efd

Supported distributions are using more recent versions (3.18.0 in SLED 15 SP3 and Leap 15.3, 4.0.0 [which also includes the fix] in SLES 15 SP4 and Leap 15.4, 4.1.1 in Tumbleweed).

So I think we can close this bug. Reassigning to security team.
Comment 11 Wolfgang Frisch 2024-07-04 07:35:27 UTC 
(In reply to Jean Delvare from comment #10)
> Upstream bugzilla was updated meanwhile. This bug is fixed in version
> 3.17.7, by this commit:
> 
> https://git.claws-mail.org/?p=claws.git;a=commit;
> h=3acca60b6efd93f23607754305a9810b56b44efd
> 
> Supported distributions are using more recent versions (3.18.0 in SLED 15
> SP3 and Leap 15.3, 4.0.0 [which also includes the fix] in SLES 15 SP4 and
> Leap 15.4, 4.1.1 in Tumbleweed).
> 
> So I think we can close this bug. Reassigning to security team.

Thank you for checking!