pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pkg/31018: update mail/mutt
>Number: 31018
>Category: pkg
>Synopsis: update mail/mutt
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 20 04:25:00 +0000 2005
>Originator: Zafer Aydogan
>Release: 3.99.7
>Organization:
>Environment:
i386
>Description:
There is a buffer overflow in mutt found thanks to ProPolice, which may
allow an attacker to execute code by sending a maliciously crafted email.
All latest versions appear affected
See also Full Disclosure:
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-08/0594.html
>How-To-Repeat:
The problem is in the mutt attachment/encoding/decoding functions,
specifically handler.c:mutt_decode_xbit() and the buffer
bufi[BUFI_SIZE]. The variable 'l' is used as a counter to reference a
position in the buffer and under certain circumstances its value can be
manipulated and becomes much larger than the size of this buffer, thus
overwriting other memory with many possible consequences. This counter
should never exceed the size and I believe the logic in the
convert_to_state() function is supposed to reset it to 0, however
there is a flaw - I have included a possible fix but I'm not sure
it's the 100% correct fix and there seem to be no developers
willing to fix this so far. There are other functions affected in
the same way due to copy/paste, such as mutt_decode_uuencoded() that
this patch should also fix.
>Fix:
--- handler.c.orig Tue Mar 26 02:49:51 2002
+++ handler.c Wed Aug 10 16:55:02 2005
@@ -95,7 +95,7 @@ static void convert_to_state(iconv_t cd,
return;
}
- if (cd == (iconv_t)(-1))
+ if (cd == (iconv_t)(-1) || *l >= BUFI_SIZE)
{
state_prefix_put (bufi, *l, s);
*l = 0;
Home |
Main Index |
Thread Index |
Old Index