Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 917610 (CVE-2023-4874, CVE-2023-4875) - <mail-client/mutt-2.2.12: crashes via malformed email mesages
Summary: <mail-client/mutt-2.2.12: crashes via malformed email mesages
Status: IN_PROGRESS
Alias: CVE-2023-4874, CVE-2023-4875
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.mutt.org/pipermail/mutt-...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 917611
Blocks:
  Show dependency tree
 
Reported: 2023-11-20 02:35 UTC by John Helmert III
Modified: 2024-03-01 05:14 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-20 02:35:39 UTC 
According to the release announcement, "This is a bug-fix
release, fixing two crash issues.  One is possible by viewing a
crafted message header, so upgrading is strongly recommended."

Please stabilize 2.2.12.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-22 19:30:27 UTC 
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2023-11-23 07:54:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b447922cb1cf28436eeb6ecea10ac7d1ea08ba53

commit b447922cb1cf28436eeb6ecea10ac7d1ea08ba53
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2023-11-23 07:51:18 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2023-11-23 07:51:18 +0000

    mail-client/mutt: cleanup old and vulnerable
    
    Bug: https://bugs.gentoo.org/917610
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest           |   4 -
 mail-client/mutt/mutt-2.2.10.ebuild | 273 ------------------------------------
 mail-client/mutt/mutt-2.2.3.ebuild  | 262 ----------------------------------
 3 files changed, 539 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 18:00:24 UTC 
(CVEs are according to https://www.openwall.com/lists/oss-security/2023/09/26/6)
Comment 4 Guilherme Amadio gentoo-dev 2024-02-29 10:09:58 UTC 
Not sure, is this the same bug? I got this crash with mutt 2.2.12:

Core was generated by `mutt -f imaps://outlook.office365.com/'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f41c7c7a330 in SLang_do_key () from /usr/lib64/libslang.so.2
(gdb) bt
#0  0x00007f41c7c7a330 in SLang_do_key () from /usr/lib64/libslang.so.2
#1  0x00007f41c7c9a75c in SLkp_getkey () from /usr/lib64/libslang.so.2
#2  0x00007f41c7c980e2 in SLcurses_wgetch () from /usr/lib64/libslang.so.2
#3  0x000055b9f2136e24 in mutt_monitor_getch () at curs_lib.c:145
#4  0x000055b9f2139460 in mutt_getch () at curs_lib.c:172
#5  0x000055b9f215aa67 in km_dokey (menu=2) at keymap.c:474
#6  0x000055b9f2161e90 in mutt_menuLoop (menu=0x55b9f2e3c7f0) at menu.c:1095
#7  0x000055b9f213260f in mutt_compose_menu (sctx=sctx@entry=0x55b9f2aa3f10) at compose.c:1103
#8  0x000055b9f218be39 in send_message_resume_compose_menu (sctx=sctx@entry=0x55b9f2aa3f10) at send.c:2412
#9  0x000055b9f218c865 in mutt_send_message_resume (psctx=psctx@entry=0x7ffefcf33160) at send.c:2752
#10 0x000055b9f218c99a in mutt_send_message (flags=flags@entry=49152, msg=msg@entry=0x0, tempfile=tempfile@entry=0x0, ctx=0x55b9f2ab8650, cur=cur@entry=0x0)
    at send.c:2822
#11 0x000055b9f2140c3d in mutt_index_menu () at curs_main.c:2503
#12 0x000055b9f215d3ad in main (argc=1, argv=<optimized out>, environ=<optimized out>) at main.c:1112
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-01 05:14:24 UTC 
(In reply to Guilherme Amadio from comment #4)
> Not sure, is this the same bug? I got this crash with mutt 2.2.12:
> 
> Core was generated by `mutt -f imaps://outlook.office365.com/'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x00007f41c7c7a330 in SLang_do_key () from /usr/lib64/libslang.so.2
> (gdb) bt
> #0  0x00007f41c7c7a330 in SLang_do_key () from /usr/lib64/libslang.so.2
> #1  0x00007f41c7c9a75c in SLkp_getkey () from /usr/lib64/libslang.so.2
> #2  0x00007f41c7c980e2 in SLcurses_wgetch () from /usr/lib64/libslang.so.2
> #3  0x000055b9f2136e24 in mutt_monitor_getch () at curs_lib.c:145
> #4  0x000055b9f2139460 in mutt_getch () at curs_lib.c:172
> #5  0x000055b9f215aa67 in km_dokey (menu=2) at keymap.c:474
> #6  0x000055b9f2161e90 in mutt_menuLoop (menu=0x55b9f2e3c7f0) at menu.c:1095
> #7  0x000055b9f213260f in mutt_compose_menu (sctx=sctx@entry=0x55b9f2aa3f10)
> at compose.c:1103
> #8  0x000055b9f218be39 in send_message_resume_compose_menu
> (sctx=sctx@entry=0x55b9f2aa3f10) at send.c:2412
> #9  0x000055b9f218c865 in mutt_send_message_resume
> (psctx=psctx@entry=0x7ffefcf33160) at send.c:2752
> #10 0x000055b9f218c99a in mutt_send_message (flags=flags@entry=49152,
> msg=msg@entry=0x0, tempfile=tempfile@entry=0x0, ctx=0x55b9f2ab8650,
> cur=cur@entry=0x0)
>     at send.c:2822
> #11 0x000055b9f2140c3d in mutt_index_menu () at curs_main.c:2503
> #12 0x000055b9f215d3ad in main (argc=1, argv=<optimized out>,
> environ=<optimized out>) at main.c:1112

That looks like a crash in the UI rather than mail parsing issues similar to what the patches fix, I think. I guess you've hit a UI bug, but not sure if it's security-relevant (ie triggerable by an attacker).