SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mutt Vendors:   Mutt.org
(Slackware Issues Fix) Mutt Index Menu Code Lets Remote Users Crash the Client
SecurityTracker Alert ID:  1009032
SecurityTracker URL:  http://securitytracker.com/id/1009032
CVE Reference:   CVE-2004-0078   (Links to External Site)
Date:  Feb 12 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.1
Description:   A vulnerability was reported in Mutt. A remote user can cause the target user's mail client to crash and may be able to execute arbitrary code.

It is reported that there is a vulnerability in the index menu code in mutt. A remote user can send a specially crafted e-mail message to the target user that will cause the target user's mutt client to crash (segfault). It may be possible to execute arbitrary code, the report said.

The nature of the flaw was not disclosed.

Impact:   A remote user can cause the target user's mutt client to crash.

It may also be possible for a remote user to cause arbitrary code to be executed on the target user's system.

Solution:   Slackware has released a fix.

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mutt-1.4.2i-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mutt-1.4.2i-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mutt-1.4.2i-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mutt-1.4.2i-i486-1.tgz

The MD5 signatures are:

Slackware 8.1 package:
6250fb75363a53d2286721c48d621698 mutt-1.4.2i-i386-1.tgz

Slackware 9.0 package:
47baa04aa5a84862e682cac9232b9c91 mutt-1.4.2i-i386-1.tgz

Slackware 9.1 package:
86a9330a2e9a0dcc9e34fce1ec6365e1 mutt-1.4.2i-i486-1.tgz

Slackware -current package:
e3e397cba66b0c278d74dc31cec3c96d mutt-1.4.2i-i486-1.tgz

To install, upgrade the mutt package with upgradepkg:

# upgradepkg mutt-1.4.2i-i486-1.tgz

Vendor URL:  www.mutt.org/ (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Slackware)
Underlying OS Comments:  8.1, 9.0, 9.1, and -current

Message History:   This archive entry is a follow-up to the message listed below.
Feb 11 2004 Mutt Index Menu Code Lets Remote Users Crash the Client



 Source Message Contents

Subject:  [slackware-security] mutt security update (SSA:2004-043-01)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mutt security update (SSA:2004-043-01)

Mutt is a text-based program for reading electronic mail.

New mutt packages are available for Slackware 8.1, 9.0, 9.1,
and -current.  These have been upgraded to version 1.4.2i to
fix a buffer overflow that could lead to a machine compromise.
All sites using mutt should upgrade to the new mutt package.

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Thu Feb 12 10:00:37 PST 2004
patches/packages/mutt-1.4.2i-i486-1.tgz:  Upgraded to mutt-1.4.2i.
  This fixes an overflow that is a potential security hole.  Here's the
  information from www.mutt.org:
    "Mutt 1.4.2 was released on February 11, 2004. This version fixes a buffer
     overflow that can be triggered by incoming messages.  There are reports
     about spam that has actually triggered this problem and crashed mutt. It
     is recommended that users of mutt versions prior to 1.4.2 upgrade to this
     version, or apply the patch included below."
  (* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mutt-1.4.2i-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mutt-1.4.2i-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mutt-1.4.2i-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mutt-1.4.2i-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
6250fb75363a53d2286721c48d621698  mutt-1.4.2i-i386-1.tgz

Slackware 9.0 package:
47baa04aa5a84862e682cac9232b9c91  mutt-1.4.2i-i386-1.tgz

Slackware 9.1 package:
86a9330a2e9a0dcc9e34fce1ec6365e1  mutt-1.4.2i-i486-1.tgz

Slackware -current package:
e3e397cba66b0c278d74dc31cec3c96d  mutt-1.4.2i-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade the mutt package with upgradepkg:

# upgradepkg mutt-1.4.2i-i486-1.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAK83NakRjwEAQIjMRAtiPAJ4qgDsw9YHNKFRLnLzXBi6zbDWK5wCghLvc
ledTWcnWqPvPVogQMb5JNFo=
=36nK
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC