Bug#304712: [Fwd: Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)]

[Chris Burdess]

Mark Wielaard wrote:
> From: Joey Hess <joeyh@debian.org>
> Date: April 14, 2005 22:38:42 BST
> Resent-To: debian-bugs-dist@lists.debian.org
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Resent-Cc: Debian Java Maintainers 
> <pkg-java-maintainers@lists.alioth.debian.org>
> Subject: Bug#304712: avaMail allows directory traversal in attachments 
> (CAN-2005-1105)
> Reply-To: Joey Hess <joeyh@debian.org>, 304712@bugs.debian.org
>
>
> Package: libgnumail-java
> Version: 1.0
> Severity: normal
> Tags: security
>
> CAN-2005-1105 describes a vulnerability in the JavaMail API:
>
>   MimeBodyPart.getFileName () method in the JavaMail API doesn't 
> properly
>   validate filename attribute in Content-Disposition header, which 
> makes it
>   vulnerable to directory traversal attacks. Successful exploitation of
>   this vulnerability allows writing arbitrary content in any directory
>   accessible to the servlet running JavaMail.
>
>   http://marc.theaimsgroup.com/?l=bugtraq&m=111335615600839&w=2
>
> Multiple imeplementations of this API are vulnerable, including
> libgnumail-java. Unless each program using libgnumail-java does its own
> checks of the filename for directory traversal attacks, this lack of
> sanity checking can allow overwriting of a user's files.
>
> I think this security hole is fairly theoretical at the moment since it
> seems only ant in Debian uses libgnumail-java, and it seems to only use
> it to send mail.

I don't really understand the problem here. Surely the "vulnerability" 
is introduced by the code described at the given URL (the 
saveMailAttachment method), rather than in the JavaMail framework? 
JavaMail is simply reporting what's in the actual message - it's up to 
the application to take measures to protect the user's security. 
JavaMail doesn't write the attachment to a file in any way.
-- 
Chris Burdess