Bug#1087653: libgmime-3.0-0: rfc2047 chunked header decoding may fail

Sat, 16 Nov 2024 10:06:17 -0800 

Package: libgmime-3.0-0
Version: 3.2.13+dfsg-2
Severity: important

Dear Maintainer,

in libgmime v. 3.2.13+dfsg-2, the funktion g_mime_utils_header_decode_text()
sometimes fails to decode chunked header lines, like “=?utf-8?B?VGhpcw==?=
=?utf-8?B?IGlzIGEgdGVzdCE=?=”, which returns the value “This” instead of the
correct “This is a test!”.  Apparently the issue has been fixed at least in
GMime v. 3.2.15.

To reproduce, compile the following trivial code
<snip>
#include <gmime/gmime.h>

int
main(int argc, char **argv)
{
        int n;

        g_mime_init();
        for (n = 1; n < argc; n++) {
                gchar *result;

                g_printf("arg: '%s'\n", argv[n]);
                result = g_mime_utils_header_decode_text(NULL, argv[n]);
                g_printf("res: '%s'\n", result);
                g_free(result);
        }
        return 0;
}
</snip>

and call it with the example value above:
<snip>
$ ./decode-test '=?utf-8?B?VGhpcw==?= =?utf-8?B?IGlzIGEgdGVzdCE=?='
arg: '=?utf-8?B?VGhpcw==?= =?utf-8?B?IGlzIGEgdGVzdCE=?='
res: 'This'
$ LD_PRELOAD=~/Neues/gmime-3.2.15/gmime/.libs/libgmime-3.0.so.0.214.1 ./decode-
test '=?utf-8?B?VGhpcw==?= =?utf-8?B?IGlzIGEgdGVzdCE=?='
arg: '=?utf-8?B?VGhpcw==?= =?utf-8?B?IGlzIGEgdGVzdCE=?='
res: 'This is a test!'
</snip>

As the issue may lead to incorrect information being displayed to the user,
IMHO it is a serious bug.

Thanks, Albrecht.


-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-27-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgmime-3.0-0 depends on:
ii  libc6         2.36-9+deb12u9
ii  libglib2.0-0  2.74.6-2+deb12u4
ii  libgpgme11    1.18.0-3+b1
ii  libidn2-0     2.3.3-1+b1
ii  zlib1g        1:1.2.13.dfsg-1

libgmime-3.0-0 recommends no packages.

libgmime-3.0-0 suggests no packages.

-- no debconf information

Reply via email to