OOB read / segfault and endless loop in courier mail server 1.5.0

[Hanno Böck <hanno () hboeck de>]

Hi,

I have recently reported two issues in the courier mail server's MIME
parsing. The parser code is also used by courier-imap, sqwebmail,
maildrop, and cone.

Malformed inputs can crash or cause an endless loop. In my tests, both
issues only affected courier 1.5.0, 1.4.x versions are unaffected.
Version 1.5.1 contains a fix.

These issues can be triggered by passing the base64-encoded samples
below to the reformime commandline tool:
reformime -r < [poc]

Segfault / OOB read in rfc822::address::unicode_name:
TWltZS1WZXJzaW9uOjEuCkNvbnRlbnQtVHlwZTptdWx0aXBhcnQ7Ym91bmRhcnk9PQoKLS09CkZy
b206MFw9Pzw=

Endless loop / hang:
Q29udGVudC1UeXBlOiCAAA==

I have not tested whether it is possible to trigger these remotely via
SMTP or IMAP.

I had reported this to courier developer Sam Varshavchik on 2025-10-23.
Fixed versions of courier and the other affected packages were released
on the same day [1].



[1] https://sourceforge.net/p/courier/mailman/message/59250695/
-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/