SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mutt Vendors:   Mutt.org
(Vendor Issues Fix) Mutt Index Menu Code Lets Remote Users Crash the Client
SecurityTracker Alert ID:  1009022
SecurityTracker URL:  http://securitytracker.com/id/1009022
CVE Reference:   CVE-2004-0078   (Links to External Site)
Date:  Feb 11 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.1
Description:   A vulnerability was reported in Mutt. A remote user can cause the target user's mail client to crash and may be able to execute arbitrary code.

It is reported that there is a vulnerability in the index menu code in mutt. A remote user can send a specially crafted e-mail message to the target user that will cause the target user's mutt client to crash (segfault). It may be possible to execute arbitrary code, the report said.

The nature of the flaw was not disclosed.

Impact:   A remote user can cause the target user's mutt client to crash.

It may also be possible for a remote user to cause arbitrary code to be executed on the target user's system.

Solution:   The vendor has released a fixed version (1.4.2), available at:

ftp://ftp.mutt.org/mutt/

The distribution files are:

MD5 checksum file name size

44fc379c317109f516894a7c3fd43cc9 diff-1.4.1i-1.4.2i.gz (23k)
6045b47cbba8170d6a9fdccc1aa817b9 mutt-1.4.2i.tar.gz (2.4M)

Vendor URL:  www.mutt.org/ (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 11 2004 Mutt Index Menu Code Lets Remote Users Crash the Client



 Source Message Contents

Subject:  Mutt-1.4.2 fixes buffer overflow.


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Mutt-1.4.2 has just been released; this version fixes a buffer
overflow that can be triggered by incoming messages.  There are
reports about spam that has actually triggered this problem and
crashed mutt.

It is recommended that users of mutt versions prior to 1.4.2 upgrade
to this version, or apply the patch included below.

Users of "unstable" mutt versions after 1.3.28 (including 1.5.*) do
not need to upgrade, as this problem had been fixed in the unstable
branch in February 2002; unfortunately, the fix was not backported
before 1.4 was released.


mutt-1.4.2 can be found at ftp://ftp.mutt.org/mutt/.

Distribution files:

  MD5 checksum                    file name             size

44fc379c317109f516894a7c3fd43cc9  diff-1.4.1i-1.4.2i.gz	(23k)
6045b47cbba8170d6a9fdccc1aa817b9  mutt-1.4.2i.tar.gz	(2.4M)

Linux distributors are expected to release updated mutt packages
shortly.


Credits:  The problem in the stable mutt code base was originally
reported to Red Hat, and was brought to my attention by Mark Cox.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0078 to this issue. =20
	=09
Regards,
--=20
Thomas Roessler =B7 Personal soap box at <http://log.does-not-exist.org/>.






Index: menu.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/mutt/mutt/menu.c,v
retrieving revision 2.27.2.1
diff -u -r2.27.2.1 menu.c
--- menu.c	28 Jan 2002 10:18:50 -0000	2.27.2.1
+++ menu.c	11 Feb 2004 10:05:52 -0000
@@ -148,30 +148,13 @@
     menu->make_entry (s, l, menu, i);
 }
=20
-void menu_pad_string (char *s, size_t l)
+void menu_pad_string (char *s, size_t n)
 {
-  size_t n =3D mutt_strlen (s);
   int shift =3D option (OPTARROWCURSOR) ? 3 : 0;
- =20
-  l--; /* save room for the terminal \0 */
-  if (l > COLS - shift)
-    l =3D COLS - shift;
+  int cols =3D COLS - shift;
=20
-  /* Let's just pad the string anyway ... */
-  mutt_format_string (s, INT_MAX, l, l, 0, ' ', s, n, 1);
-  return;
-
-#if !defined (HAVE_BKGDSET) && !defined (USE_SLANG_CURSES)
-  /* we have to pad the string with blanks to the end of line */
-  if (n < l)
-  {
-    while (n < l)
-      s[n++] =3D ' ';
-    s[n] =3D 0;
-  }
-  else
-#endif
-    s[l] =3D 0;
+  mutt_format_string (s, n, cols, cols, 0, ' ', s, strlen (s), 1);
+  s[n - 1] =3D 0;
 }
=20
 void menu_redraw_full (MUTTMENU *menu)

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAKjpZA+zWmZc3wN0RAi1KAJ4kUNm4nFlR7dhFBpumnLhRQk312ACgkXOU
K6xm0mYrOotNywZpBQTG2bg=
=lNG7
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC