๐ Open-Xchange: A specifically designed sieve script can cause a DoS in lib-sieve during sieve script compilation via NULL pointer dereference
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Reproduction realcrash.sieve is the attached script 1. Build dovecot and pigeonhole 2. Run sievec realcrash.sieve Requirements include and variables extensions should be required. One of the global commands (global/export/import) without any arguments should be followed by the same command with valid (string or string list) arguments; Problem During vaildation of parsed script, lib-sieve tries to join arguments of consecutive global commands with the same name (export with export, global with global, import with import) in src/lib-sieve/sieve-ast.c:sieve_ast_stringlist_join. However, we can create a logically wrong export/import/global command with no arguments and during a lookup of this command's argument list lib-sieve will fault. Crash log with ASAN ``` ==19154==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2a5d0d1564 bp 0x7ffc8e129150 sp 0x7ffc8e129130 T0) ==19154==The signal is caused by a READ memory access. ==19154==Hint: address points to the zero page. #0 0x7f2a5d0d1563 in sieve_ast_stringlist_join /home/rumata888/Documents/Collaboration/Fuzzing/OpenExchnage/pigeonhole/pigeonhole_clean/src/lib-sieve/sieve-ast.c:814 #1 0x7f2a5d17e869 in cmd_global_validate /home/rumata888/Documents/Collaboration/Fuzzing/OpenExchnage/pigeonhole/pigeonhole_clean/src/lib-sieve/plugins/include/cmd-global.c:181 #2 0x7f2a5d0edf9d in sieve_validate_command... ...