Bug#1116049: mailutils: sieve segfaults with simple script

Tue, 23 Sep 2025 07:57:18 -0700 

Package: mailutils
Version: 1:3.15-4
Severity: important

Hello,

I tried a quite simple sieve filter for my first usage of this package 
and this scripting language; it looks like so (redacted a bit):

    require "fileinto";
    require "test-timestamp";

    if allof (header :matches "list-id" "<*.example.com>",
            timestamp :after "Date" "2025-09-18")
    {
            fileinto "~/tmp/";
    }

It just segfaults on launch with:

    % sieve  -f ~/Maildir test.sv
    [1]    22495 segmentation fault  sieve  -f ~/Maildir test.sv

I traced it with gdb:

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7939eaa in mu_assoc_shift (asc=0x5555555af930, ret_name=0x0, 
ret_val=0x0) at ./libmailutils/base/assoc.c:968
    968           if (*ret_name)

    (gdb) bt

    #0  0x00007ffff7939eaa in mu_assoc_shift (asc=0x5555555af930, ret_name=0x0, 
ret_val=0x0) at ./libmailutils/base/assoc.c:968
    #1  0x00007ffff7dbc99b in sieve_get_mailbox (mach=0x555555580740, 
filename=0x555555591d80 "~/Maildir/", flags=0, ret_mbox=0x7fffffffde80) at 
./libmu_sieve/actions.c:155
    #2  0x00007ffff7dbcb60 in sieve_action_fileinto (mach=0x555555580740) at 
./libmu_sieve/actions.c:202
    #3  0x00007ffff7dc28ff in instr_run (mach=0x555555580740, 
what=0x7ffff7dd0eab "ACTION") at ./libmu_sieve/runtime.c:71
    #4  0x00007ffff7dc298b in _mu_i_sv_instr_action (mach=0x555555580740) at 
./libmu_sieve/runtime.c:84
    #5  0x00007ffff7dc2f4b in sieve_run (mach=0x555555580740) at 
./libmu_sieve/runtime.c:238
    #6  0x00007ffff7dc30da in _sieve_action (obs=0x555555588e50, type=256, 
data=0x7fffffffe060, action_data=0x0) at ./libmu_sieve/runtime.c:276
    #7  0x00007ffff7944187 in mu_observer_action (observer=0x555555588e50, 
type=256, data=0x7fffffffe060) at ./libmailutils/base/observer.c:70
    #8  0x00007ffff79446be in mu_observable_notify (observable=0x55555556f770, 
type=256, data=0x7fffffffe060) at ./libmailutils/base/observer.c:248
    #9  0x00007ffff7da4449 in mboxrd_dispatch (mailbox=0x555555588580, evt=256, 
data=0x7fffffffe060) at ./libproto/mbox/mboxrd.c:248
    #10 0x00007ffff7da49f7 in scan_message_finalize (dmp=0x55555557ed70, 
dmsg=0x5555555946d0, stream=0x5555555943b0, n=1, 
force_init_uids=0x7fffffffe09c) at ./libproto/mbox/mboxrd.c:469
    #11 0x00007ffff7da582b in mboxrd_rescan_unlocked (mailbox=0x555555588580, 
offset=0) at ./libproto/mbox/mboxrd.c:757
    #12 0x00007ffff7da5ac2 in mboxrd_rescan (mailbox=0x555555588580, offset=0) 
at ./libproto/mbox/mboxrd.c:808
    #13 0x00007ffff7da5b9e in mboxrd_refresh (mailbox=0x555555588580) at 
./libproto/mbox/mboxrd.c:828
    #14 0x00007ffff7da5d04 in mboxrd_scan (mailbox=0x555555588580, i=1, 
pcount=0x7fffffffe290) at ./libproto/mbox/mboxrd.c:855
    #15 0x00007ffff797c1c8 in mu_mailbox_scan (mbox=0x555555588580, msgno=1, 
pcount=0x7fffffffe290) at ./libmailutils/mailbox/mailbox.c:604
    #16 0x00007ffff7dc31c8 in mu_sieve_mailbox (mach=0x555555580740, 
mbox=0x555555588580) at ./libmu_sieve/runtime.c:302
    #17 0x0000555555557f6d in sieve_mailbox (mach=0x555555580740) at 
./sieve/sieve.c:424
    #18 0x00005555555586d9 in main (argc=1, argv=0x7fffffffe4a0) at 
./sieve/sieve.c:596

I found a fix in salsa’s git from last June, commit 
7fab83cc95ef3bda85c071fe56943f749db310a3 which fixes this NULL pointer 
dereference.

The above callsite is the *only* caller of mu_assoc_shift, which 
furthermore calls it always with NULL as ret_name. This is furthermore 
in the sieve_get_mailbox() function of the fileinto action, which seems 
quite fundamental to me.  Which makes me conclude that "sieve" is simply 
unusable because of this bug.  The fix is in version 3.20 of mailutils, 
so basically even trixie’s sieve is broken (I’m on bookworm but just had 
a look).  Thus the severity important.

Could you backport the aforementionned commit, at least for trixie, 
please?

Thanks.
-- Benjamin

-- System Information:
Debian Release: 12.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable-debug'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.22+bpo-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mailutils depends on:
ii  libc6             2.36-9+deb12u10
ii  libcrypt1         1:4.4.33-2
ii  libfribidi0       1.0.8-2.1
ii  libgnutls30       3.7.9-2+deb12u5
ii  libgsasl18        2.2.0-1
ii  libldap-2.5-0     2.5.13+dfsg-5
ii  libmailutils9     1:3.15-4
ii  libncurses6       6.4-4
ii  libpam0g          1.5.2-6+deb12u1
ii  libreadline8      8.2-1.3
ii  libtinfo6         6.4-4
ii  libunistring2     1.0-2
ii  mailutils-common  1:3.15-4

Versions of packages mailutils recommends:
ii  exim4-daemon-light [mail-transport-agent]  4.96-15+deb12u7

Versions of packages mailutils suggests:
ii  mailutils-doc  1:3.15-4
pn  mailutils-mh   <none>

-- no debconf information

Reply via email to