Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 765790 (CVE-2021-3181)

Summary: <mail-client/mutt-2.0.4-r1: Serious memory leak (CVE-2021-3181)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: grobian, hlein
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2021/01/17/2
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-17 19:47:39 UTC 
"Hello, I noticed mutt was leaking memory whenever I opened a particular
mailbox. I tracked down the problem: Using rfc822 groups without the madatory
labels wasn't being parsed properly.

https://tools.ietf.org/html/rfc822#section-6.2.6

(A spammer had just put some junk in there, they weren't deliberately using
exotic addressing schemes.. haha).

It turns out that you can send a small message that leaks a *lot* of memory. A
small message can leak GBs of memory, effectively preventing you from opening
your mailbox. You would need to use a different mail client to clean up the
malformed message before you can use mutt again.

I sent this upstream as a DoS, but they don't want to treat it as a security
isssue. I though I'd just send a FYI here instead in case anyone wants to
backport the patch.

Here's the bug with a repro: https://gitlab.com/muttmua/mutt/-/issues/323

Here's the patch:

https://gitlab.com/muttmua/mutt/-/commit/c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545

Tavis."
Comment 1 Hank Leininger 2021-01-17 19:52:08 UTC 
Upstream issue 323 now 404's, perhaps it has been marked private while being worked on, or something.

Upstream branch working on fixes: https://gitlab.com/muttmua/mutt/-/commits/kevin/323-groupaddr-memleak
Comment 2 Larry the Git Cow gentoo-dev 2021-01-18 08:48:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ae82eca030da3e91b708e4ede77ddb349b15167

commit 9ae82eca030da3e91b708e4ede77ddb349b15167
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-01-18 08:46:51 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-01-18 08:48:51 +0000

    mail-client/mutt-2.0.4-r1: revbump with patch for #765790
    
    Bug: https://bugs.gentoo.org/765790
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest                          |   4 +-
 .../{mutt-2.0.3.ebuild => mutt-2.0.4-r1.ebuild}    |   2 +-
 mail-client/mutt/mutt-2.0.4.ebuild                 | 265 ---------------------
 3 files changed, 2 insertions(+), 269 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 16:25:23 UTC 
Thank you! Please stabilize when ready.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 02:03:26 UTC 
(In reply to John Helmert III (ajak) from comment #3)
> Thank you! Please stabilize when ready.

2.0.5 is released with the fix if you think that will be a better stabilization candidate, grobian.
Comment 5 Fabian Groffen gentoo-dev 2021-01-22 07:26:40 UTC 
There is four commits in 2.0.5 that are new since 2.0.4, one of them the exact same as the patch I added to 2.0.4-r1.  Two being other memleak fixes, that look sane enough from a glance, one fix regarding colours.

I don't think it's worth the risk, let's stabilise 2.0.4-r1 today.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 21:53:49 UTC 
(In reply to Fabian Groffen from comment #5)
> There is four commits in 2.0.5 that are new since 2.0.4, one of them the
> exact same as the patch I added to 2.0.4-r1.  Two being other memleak fixes,
> that look sane enough from a glance, one fix regarding colours.
> 
> I don't think it's worth the risk, let's stabilise 2.0.4-r1 today.

Sounds good.
Comment 7 Agostino Sarubbo gentoo-dev 2021-01-24 11:59:13 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-01-24 12:11:53 UTC 
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 20:06:17 UTC 
sparc done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 21:51:35 UTC 
arm done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 22:04:08 UTC 
ppc64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 22:04:18 UTC 
ppc done

all arches done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 22:04:47 UTC 
Please cleanup, thanks!
Comment 14 Larry the Git Cow gentoo-dev 2021-01-25 07:26:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15194e17ea34e171a45a9014a6d868e505108c32

commit 15194e17ea34e171a45a9014a6d868e505108c32
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-01-25 07:25:17 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-01-25 07:25:17 +0000

    mail-client/mutt-2.0.2: cleanup vulnerable version
    
    Bug: https://bugs.gentoo.org/765790
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest          |   2 -
 mail-client/mutt/mutt-2.0.2.ebuild | 265 -------------------------------------
 2 files changed, 267 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 00:22:21 UTC 
This issue was resolved and addressed in
 GLSA 202101-25 at https://security.gentoo.org/glsa/202101-25
by GLSA coordinator Sam James (sam_c).