SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mutt Vendors:   Mutt.org
Mutt Off-by-one Buffer Overflow in Processing IMAP Messages May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006405
SecurityTracker URL:  http://securitytracker.com/id/1006405
CVE Reference:   CVE-2003-0167   (Links to External Site)
Date:  Mar 28 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.28 and prior versions
Description:   A potential buffer overflow vulnerability was reported in the Mutt e-mail client. A remote user may be able to execute arbitrary code.

Byrial Jensen reported that there is a potential buffer overflow caused by an off-by-one error in Mutt's 'imap/util.c' file on line 125. The maximum field width in a sscanf() function call is 1 byte too large.

A remote user (acting as an IMAP server) may be able to cause a target user's Mutt client to crash or possibly execute arbitrary code when connected to the IMAP server.

[Editor's note: This was made public in April 2002, but not widely reported on security discussion lists.]

Impact:   A remote IMAP server may be able to cause a target user's connected Mutt client to crash or execute arbitrary code.
Solution:   The vendor corrected this flaw in version 1.3.99i and later versions. The latest versions are available at:

http://mutt.org/download.html

Vendor URL:  www.mutt.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix for 3.0) Re: Mutt Off-by-one Buffer Overflow in Processing IMAP Messages May Let Remote Users Execute Arbitrary Code
Debian has issued a fix for 3.0. A fix for 2.2 is pending.
(Debian Issues Fix for 2.2) Mutt Off-by-one Buffer Overflow in Processing IMAP Messages May Let Remote Users Execute Arbitrary Code
Debian has released a fix for Debian Linux 2.2.
(Debian Issues Fix for Balsa) Mutt Off-by-one Buffer Overflow in Processing IMAP Messages May Let Remote Users Execute Arbitrary Code
Debian has released a fix for Balsa.



 Source Message Contents

Subject:  Buffer overflow in imap/util.c


List:     mutt-dev
Subject:  [1.3.28] Patch: Buffer overflow in imap/util.c
From:     Byrial Jensen <byrial () image ! dk>
Date:     2002-04-28 20:20:04

--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is a possible buffer overflow due an off-by-one error in
imap/util.c, line 125. The error is in the maximum field width
indication in the sscanf() call. You must have room in the
receiving buffer for this number of characters /plus a
terminating NULL character/.

--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="patch-1.3.28.bj.sscanf_fix.1"

--- imap/util.c~	Sun Jan 13 22:16:34 2002
+++ imap/util.c	Sun Apr 28 21:56:29 2002
@@ -122,7 +122,7 @@ int imap_parse_path (const char* path, I
   else
   {
     FREE (&c);
-    if (sscanf (path, "{%128[^}]}", tmp) != 1) 
+    if (sscanf (path, "{%127[^}]}", tmp) != 1)
       return -1;
 
     c = strchr (path, '}');
@@ -140,7 +140,7 @@ int imap_parse_path (const char* path, I
       mx->account.flags |= M_ACCT_USER;
     }
   
-    if ((n = sscanf (tmp, "%128[^:/]%128s", mx->account.host, tmp)) < 1)
+    if ((n = sscanf (tmp, "%127[^:/]%127s", mx->account.host, tmp)) < 1)
     {
       dprint (1, (debugfile, "imap_parse_path: NULL host in %s\n", path));
       FREE (&mx->mbox);
@@ -148,7 +148,7 @@ int imap_parse_path (const char* path, I
     }
   
     if (n > 1) {
-      if (sscanf (tmp, ":%hd%128s", &(mx->account.port), tmp) >= 1)
+      if (sscanf (tmp, ":%hd%127s", &(mx->account.port), tmp) >= 1)
 	mx->account.flags |= M_ACCT_PORT;
       if (sscanf (tmp, "/%s", tmp) == 1)
       {

--GvXjxJ+pjyke8COw--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC