This article is more than 1 year old
Email client lib blown apart by CC: list of death
LibEtPan user? Upgrade to 1.8
Developers using the open source LibEtPan library in their email agents need to patch against a null-dereference vulnerability.
Among other things, the library is used in MailCore and MailCore 2, which provide Objective C APIs to the IMAP, POP and SMTP protocols.
The bug is in LibEtPan's MIME handling in version 1.7.2 and earlier.
Designated CVE-2017-8825, the bug means the library can be crashed (in its mailimf.c
component) trying to parse a Cc: header containing multiple email addresses.
The bug was discovered by Ryan Whitworth, who probed the software using Fuzzy Lop.
It's explained in this thread: “when mailimf_group_parse() parses a header line containing list of addresses (e.g. "Cc"), it sometimes fails, and by the time it gets to calling mailimf_group_new(display_name, mailbox_list), the pointer mailbox_list is still pointing to NULL. The code doesn't check for this outcome.”
The bug didn't live long enough to get a proof-of-concept, but as noted in the thread, segfaults like this are often exploitable.
The library's mainainer, Hoa Viet Dinh, has fixed the bug in LibEtPan 1.8, here. ®