From ${URL} : The Debian DSA-2874-1 security advisory (http://www.debian.org/security/2014/dsa-2874) corrected an overflow in the mutt mail reader. Analysis of the crash reveals this is likely a heap-based buffer overflow in the mutt_copy_hdr() function. Opening a specially-crafted mail message could cause mutt to crash or, potentially, execute arbitrary code. The fix looks to be as follows: +diff -r 3d5e23a66a1a -r 9bf7593e3c08 copy.c +--- a/copy.c Thu Oct 24 09:55:36 2013 -0700 ++++ b/copy.c Tue Mar 11 09:40:09 2014 -0700 +@@ -254,6 +254,7 @@ + { + if (!address_header_decode (&this_one)) + rfc2047_decode (&this_one); ++ this_one_len = mutt_strlen (this_one); + } + + if (!headers[x]) + (Note as this is copied from the Debian diff, it is actually a one line change of "this_one_len = mutt_strlen (this_one);") From brief testing on Red Hat Enterprise Linux 6, the message's headers had to be viewed (via the "h" command) in order to trigger the issue. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
mutt is bumped with grobian`s permission.
Arches, please test and stabilize: =net-mail/mutt-1.5.22-r3.ebuild Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ia64 stable
alpha stable
ppc64 stable
CVE-2014-0467 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0467): Buffer overflow in copy.c in Mutt before 1.5.23 allows remote attackers to cause a denial of service (crash) via a crafted RFC2047 header line, related to address expansion.
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201406-05 at http://security.gentoo.org/glsa/glsa-201406-05.xml by GLSA coordinator Chris Reffett (creffett).
