Email client lib blown apart by CC: list of death

Developers using the open source LibEtPan library in their email agents need to patch against a null-dereference vulnerability.

Among other things, the library is used in MailCore and MailCore 2, which provide Objective C APIs to the IMAP, POP and SMTP protocols.

The bug is in LibEtPan's MIME handling in version 1.7.2 and earlier.

Designated CVE-2017-8825, the bug means the library can be crashed (in its mailimf.c component) trying to parse a Cc: header containing multiple email addresses.

The bug was discovered by Ryan Whitworth, who probed the software using Fuzzy Lop.

It's explained in this thread: “when mailimf_group_parse() parses a header line containing list of addresses (e.g. "Cc"), it sometimes fails, and by the time it gets to calling mailimf_group_new(display_name, mailbox_list), the pointer mailbox_list is still pointing to NULL. The code doesn't check for this outcome.”

The bug didn't live long enough to get a proof-of-concept, but as noted in the thread, segfaults like this are often exploitable.

The library's mainainer, Hoa Viet Dinh, has fixed the bug in LibEtPan 1.8, here. ®