Project

General

Profile

Actions
Copy link

Bug #7950

open

Potentially incorrect decoding of quoted-printable mime text attachments

Added by Ma Ja 5 days ago. Updated about 12 hours ago.

Status:
In Review
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
7.0.12, 8.0.1
Effort:
Difficulty:
Label:

Description

If I am correct, there might be a decoding problem with decoding quoted-printable encoded email text attachments in Suricata.

In addition, if there is an empty line at the end of the last attachment (before the ".") it is also appended to the decoded file. AFAIK, that should not be the case.

I believe I found a test case where suricata 7.0.12 and 8.0.1 and the GMime library (as a reference) all produce different text file output and checksums which might induce an IoC matching problem.

  • "testcase.smtp" is the SMTP stream from the PCAP extracted from wireshark follow TCP stream.
  • "Attachment2-gmime" is the output that is generated by the GMime library.
  • "Attachment2-suri7" and "Attachment-suri8" are the respective outputs of the above versions when activating filestore.
$ diff Attachment2-gmime Attachment2-suri7 
119c119
< ===================================================================
---
> ==3D================================================================
246,247c246
< +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, 
< const gchar**  ret_url)
---
> +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, const gchar**  ret_url)
451c450
< ===================================================================
---
> ==========================================3D========================
1037a1037
>

$ diff Attachment2-gmime Attachment2-suri8 
119c119
< ===================================================================
---
> ==3D================================================================
246,247c246
< +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, 
< const gchar**  ret_url)
---
> +static gboolean related_url_string_cb(field_info *finfo, gboolean doit, const gchar**  ret_url)
451c450
< ===================================================================
---
> ==========================================D========================
1037a1037
>

Hopefully I did not make a mistake. But if I am correct, there might be unwanted IoC differences.

Best regards,
MaJa

Files

Download all files
testcase.smtp (42.6 KB) testcase.smtp Ma Ja, 09/24/2025 01:47 PM
testcase.pcap (131 KB) testcase.pcap Ma Ja, 09/24/2025 01:47 PM
Attachment2-gmime (33.4 KB) Attachment2-gmime Ma Ja, 09/24/2025 01:56 PM
Attachment2-suri7 (33.4 KB) Attachment2-suri7 Ma Ja, 09/24/2025 01:56 PM
Attachment2-suri8 (33.4 KB) Attachment2-suri8 Ma Ja, 09/24/2025 01:56 PM

Subtasks 2 (2 open0 closed)

Bug #7961: Potentially incorrect decoding of quoted-printable mime text attachments (8.0.x backport)AssignedPhilippe AntoineActions
Bug #7962: Potentially incorrect decoding of quoted-printable mime text attachments (7.0.x backport)AssignedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF