Add advisory for SMTP injection vulnerability in mail <2.6.0

[reedloden]

Need an advisory for the mail vulnerability discussed in http://www.mbsd.jp/Whitepaper/smtpi.pdf (section 3.1)

Affects <2.6.0

[reedloden]

@mikel / @bf4 / @jeremy -- any idea which commit fixed this issue? 2.6.0 fixed a ton of stuff. :/

[reedloden]

I did a git bisect using a test case I received from the author, and if I'm understanding the issue correctly, I think mikel/mail@72befdc fixed it. Let me confer with the paper author to make sure I'm seeing the right thing.

[reedloden]

He confirms it's that rev. If the unfold method is commented out, the problem returns.

[reedloden]

The paper author has informed me "BTW, while investigating the source code of Mail, I came to think the fault might be more on Net::SMTP's side. It is difficult to say who is responsible for it, Net::SMTP, Mail or application developers (library users) though."

'mail' guys... thoughts on this? In any case, should add a test to 'mail' to ensure this doesn't pop up again. :)

[skorth]

Always learning something new, thx.

[reedloden]

Request made to MITRE (and also posted to oss-security@) for a CVE. Also requested an ID from OSVDB. Sucks we have to wait for one of them before getting this advisory published.

[jeremy]

First we've heard of this for the mail lib. Forwarded to security@ruby-lang.org, too.

[bf4]

@reedloden how the heck did you find this? Do you know if the author tried to contact anyone before publishing?

[reedloden]

@bf4 The paper was posted on r/netsec. It was indirectly mentioned in an advisory for PHPMailer as well.

I'm in contact with the author, so I will ask him, but I suspect not for Ruby at least, as the issue had been fixed already (though not on purpose, it seems).

[reedloden]

It was originally posted to the WebAppSec mailing list on 2015-12-09.