SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mutt Vendors:   Mutt.org
(Slackware Issues Fix) Re: Mutt E-mail Client Buffer Overflow May Let Remote Users Cause Arbitary Commands to Be Executed on the Mutt User's Host
SecurityTracker Alert ID:  1003150
SecurityTracker URL:  http://securitytracker.com/id/1003150
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 8 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): mutt-1.2.5 and 1.3.24 and prior releases
Description:   A buffer overflow vulnerability was reported in the Mutt e-mail client that may allow remote users to cause arbitrary commands to be executed by another user's Mutt e-mail client.

It is reported that this vulnerability is remotely exploitable. The bug is apparently due to a one byte buffer overflow. No other details on the vulnerability were provided.

Impact:   A remote user may be able to create an e-mail message that, when viewed by another user with the Mutt client, will cause arbitrary commands to be executed by the Mutt client with the privileges of the user running Mutt.
Solution:   A fix is available for Slackware Linux:

Updated mutt package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mutt.tgz

Updated mutt package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/mutt-1.2.5.1/packages/mutt-1.2.5.1-i386-1.tgz

Here are the md5sums for the packages:

Slackware 8.0:
3172435c584b0cb22ede37b7fafc25c6 mutt.tgz

Slackware -current:
3172435c584b0cb22ede37b7fafc25c6 mutt-1.2.5.1-i386-1.tgz

Simply upgrade (or install) as root:

# upgradepkg mutt.tgz

or

# installpkg mutt.tgz

Vendor URL:  www.mutt.org/announce/mutt-1.2.5.1-1.3.25.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Slackware)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 2 2002 Mutt E-mail Client Buffer Overflow May Let Remote Users Cause Arbitary Commands to Be Executed on the Mutt User's Host



 Source Message Contents

Subject:  [slackware-security] mutt remote exploit patched




An exploitable overflow has been found in the address handling code of the
mutt mail client version 1.2.5i supplied with Slackware 8.0.  A new
mutt-1.2.5.1 has been released which addresses this problem, and packages
are now available for Slackware 8.0 and -current.

We urge all Slackware users to upgrade to this new version of mutt as soon
as possible.


WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated mutt package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mutt.tgz

Updated mutt package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/mutt-1.2.5.1/packages/mutt-1.2.5.1-i386-1.tgz


MD5 SIGNATURES:
---------------

Here are the md5sums for the packages:

Slackware 8.0:
3172435c584b0cb22ede37b7fafc25c6  mutt.tgz

Slackware -current:
3172435c584b0cb22ede37b7fafc25c6  mutt-1.2.5.1-i386-1.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

Simply upgrade (or install) as root:

   # upgradepkg mutt.tgz

or
  
   # installpkg mutt.tgz


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC