WARNING: using attachment_dir with plugin zlib can corrupt mails

[Timo Sirainen]

On 19 Jul 2019, at 17.52, Patrick Cernko via dovecot <dovecot at dovecot.org> wrote:
> 
> Hello list, hello Dovecot developers,
> 
> this week, I discovered a serious bug in Dovecot, that lead to several broken mails on our servers. The bug corrupts the first few characters of the mail header during saving. On our setup, it was almost always only the very first line of text, that was corrupted.
..
> The bug occurs on very specific mails. Due to privacy reasons I could not provide sample mails here. Storing such mails seems to trigger the bug reproducible.
> 
> 
> I attached a very minimal doveconf -n config, that can be used to trigger the bug. If one of the developers is interested, I can try to generate an "anonymized" version of such a specific mail that still causes the issue. I discovered the bug on our productive systems, running latest Dovecot 2.2 release, but the latest 2.3 I used during debugging is affected, too.

Getting such a mail that would allow reproducing would be helpful. I can't seem to be able to reproduce this with stress testing.

https://dovecot.org/tools/ <https://dovecot.org/tools/> has a couple of scripts that can obfuscate emails in a bit different ways. For example https://dovecot.org/tools/maildir-obfuscate.pl <https://dovecot.org/tools/maildir-obfuscate.pl> might work.

I'm also wondering if Stephan's recent base64 code changes will fix this (everything is not merged yet).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190905/ef20e53c/attachment.html>