Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530842 (CVE-2014-9116) - <mail-client/mutt-1.5.23-r5: heap-based buffer overflow in mutt_substrdup() (CVE-2014-9116)
Summary: <mail-client/mutt-1.5.23-r5: heap-based buffer overflow in mutt_substrdup() (...
Status: RESOLVED FIXED
Alias: CVE-2014-9116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-27 10:37 UTC by Agostino Sarubbo
Modified: 2017-01-01 15:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-27 10:37:37 UTC
From ${URL} :

Good morning,

Jakub Wilk reported a crash in mutt:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125

Looking in mutt-1.5.23-2.fc20.x86_64:

char *mutt_substrdup (const char *begin, const char *end)
{
   size_t len;
   char *p;

   if (end)
     len = end - begin;
   else
     len = strlen (begin);

   p = safe_malloc (len + 1);
   memcpy (p, begin, len);
   p[len] = 0;
   return p;
}

"end" can be less than "begin", and in this case -1 tries to be stored 
in the unsigned int len. The safe_malloc will therefore be called with 
"0" (due to the +1), and then the following memcpy will use the huge len.

(gdb) b mutt_substrdup
Breakpoint 1 at 0x46daf0: file lib.c, line 814.
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (
     begin=begin@...ry=0xe4b630 "From jwilk@...lk.net Wed Nov 26 
18:01:22 2014\nFrom:\n\rI\n",
     end=end@...ry=0xe4b65e "From:\n\rI\n") at lib.c:814
814     {
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (begin=begin@...ry=0xe4b65e "From:\n\rI\n",
     end=end@...ry=0xe4b662 ":\n\rI\n") at lib.c:814
814     {
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (begin=0xe4b665 "I\n", 
end=end@...ry=0xe4b664 "\rI\n") at lib.c:814
814     {
(gdb) x/s begin
0xe4b665:       "I\n"
(gdb) x/s end
0xe4b664:       "\rI\n"
(gdb) n
818       if (end)
(gdb) n
819         len = end - begin;
(gdb) n
823       p = safe_malloc (len + 1);
(gdb) p len
$1 = 18446744073709551615
(gdb) p len + 1
$2 = 0

We haven't looked yet where the overlap occurs, nor have a patch yet.

I did have to put "set weed=off" in .muttrc for the issue to present.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Fabian Groffen gentoo-dev 2014-11-28 08:31:01 UTC
http://dev.mutt.org/trac/ticket/3716
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 13:50:54 UTC
CVE-2014-9116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9116):
  The write_one_header function in mutt 1.5.23 does not properly handle
  newline characters at the beginning of a header, which allows remote
  attackers to cause a denial of service (crash) via a header with an empty
  body, which triggers a heap-based buffer overflow in the mutt_substrdup
  function.
Comment 3 Fabian Groffen gentoo-dev 2015-01-10 20:42:22 UTC
http://dev.mutt.org/trac/changeset/0aebf1df4359

Fix should be in 1.5.23-r5
Comment 4 Sean Amoss gentoo-dev Security 2015-01-11 21:45:34 UTC
(In reply to Fabian Groffen from comment #3)
> http://dev.mutt.org/trac/changeset/0aebf1df4359
> 
> Fix should be in 1.5.23-r5

Thanks! Is that version ready for stabilization?
Comment 5 Fabian Groffen gentoo-dev 2015-01-12 09:17:36 UTC
Let me test it for a couple more days, but I don't expect major issues.
Comment 6 Fabian Groffen gentoo-dev 2015-01-25 18:26:12 UTC
-r5 seems ok to me
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-21 19:28:20 UTC
Arches, please test and mark stable:

=mail-client/mutt-1.5.23-r5

Target Keywords : "alpha amd64 hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 8 Jeroen Roovers gentoo-dev 2015-02-22 08:32:54 UTC
Stable for HPPA.
Comment 9 Andreas Schürch gentoo-dev 2015-02-23 20:16:35 UTC
x86 done
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-24 09:39:11 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-03-25 16:07:28 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-03-26 11:21:55 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-03-26 11:29:03 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-03-30 09:50:39 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-03-30 10:03:23 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-22 21:01:42 UTC
Maintainer(s), Thank you for you for cleanup.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-13 22:25:27 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 15:08:12 UTC
This issue was resolved and addressed in
 GLSA 201701-04 at https://security.gentoo.org/glsa/201701-04
by GLSA coordinator Thomas Deutschmann (whissi).