Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 138125 - mail-client/mutt: IMAP Buffer Overflow (CVE-2006-3242)
Summary: mail-client/mutt: IMAP Buffer Overflow (CVE-2006-3242)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://secunia.com/advisories/20810/
Whiteboard: A2 [glsa] hlieberman
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-26 17:01 UTC by Harlan Lieberman-Berg (RETIRED)
Modified: 2019-12-25 20:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-06-26 17:01:06 UTC
Takahashi Tamotsu discovered a buffer overflow that can cause a DoS, and possibly arbitrary code execution with the privs. of the user running mutt.  Note that a user must visit a malicious IMAP server in order to be affected by this. 

Vulnerable in: =<1.4.2.1
Unaffected in: CVS
Comment 1 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-06-26 17:08:41 UTC
Fixed Severity -- Sorry 'bout that.
Comment 2 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-06-26 17:19:14 UTC
Though we appear to be out of the affected version range, Falco believes that we are still vulnerable. 

Herd, can you run a sanity check on this one?
Comment 3 Fernando J. Pereda (RETIRED) gentoo-dev 2006-06-27 03:23:41 UTC
I patched imap/browse.c in our ebuild and added it as mutt-1.5.11-r2

- ferdy
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-27 03:52:07 UTC
Thanks ferdy

hi arches, please mark 1.5.11-r2 as stable, thank you
Comment 5 Paul Taylor 2006-06-27 05:03:37 UTC
Hi ferdy,

Is there any reason why mutt isn't using autoconf-2.60?  I can't install the new ebuild because it requires a downgrade autoconf to 2.59-r7, resulting in dependency ping-pong.  (maildrop is another package still using 2.59.)

Cheers,
Comment 6 Fabian Groffen gentoo-dev 2006-06-27 05:07:37 UTC
Probably because otherwise ppc-macos cannot compile any more.  I don't know if a >= is possible.
Comment 7 Paul Taylor 2006-06-27 05:16:01 UTC
(In reply to comment #6)
> Probably because otherwise ppc-macos cannot compile any more.  I don't know if
> a >= is possible.

Works for me (x86.)
Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev 2006-06-27 06:27:24 UTC
Because I forgot to remove that dependencies, sorry. Should work now. (worked for me in alpha and x86 at least).

I just commit a new version of -r2 without explicit dependencies and without WANT_AUTOCONF.

- ferdy
Comment 9 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-06-27 08:56:49 UTC
ppc stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-06-27 09:12:28 UTC
stable on ppc64
Comment 11 Fabian Groffen gentoo-dev 2006-06-27 10:03:24 UTC
ppc-macos done.  I also ported the patch to muttng and included the patch there.  muttng-20060619-r1 has the patch included.
Comment 12 Chris Gianelloni (RETIRED) gentoo-dev 2006-06-27 10:30:50 UTC
x86 done... if we're supposed to do soemthing with muttng, add us back
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2006-06-27 11:53:37 UTC
stable on hppa
Comment 14 Fernando J. Pereda (RETIRED) gentoo-dev 2006-06-27 12:03:56 UTC
Alpha done.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-27 12:35:14 UTC
sparc stable.
Comment 16 Luis Medinas (RETIRED) gentoo-dev 2006-06-27 19:41:56 UTC
amd64 stable
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-28 03:06:51 UTC
This was fast, thanks.

Let's go for the GLSA
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-28 11:49:17 UTC
Updated CVE info.
Comment 19 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-06-28 13:38:42 UTC
GLSA 200606-27 committed. Good job everyone.

http://www.gentoo.org/security/en/glsa/glsa-200606-27.xml
Comment 20 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-06-28 13:39:29 UTC
&nsbp;
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-28 21:55:05 UTC
Harlan please don't close security bugs:-)

Mail is finally out on announce.

GLSA 200606-27

mips, ia64 don't forget to mark stable to benifit from the GLSA.