From ${URL} : Good morning, Jakub Wilk reported a crash in mutt: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125 Looking in mutt-1.5.23-2.fc20.x86_64: char *mutt_substrdup (const char *begin, const char *end) { size_t len; char *p; if (end) len = end - begin; else len = strlen (begin); p = safe_malloc (len + 1); memcpy (p, begin, len); p[len] = 0; return p; } "end" can be less than "begin", and in this case -1 tries to be stored in the unsigned int len. The safe_malloc will therefore be called with "0" (due to the +1), and then the following memcpy will use the huge len. (gdb) b mutt_substrdup Breakpoint 1 at 0x46daf0: file lib.c, line 814. (gdb) c Continuing. Breakpoint 1, mutt_substrdup ( begin=begin@...ry=0xe4b630 "From jwilk@...lk.net Wed Nov 26 18:01:22 2014\nFrom:\n\rI\n", end=end@...ry=0xe4b65e "From:\n\rI\n") at lib.c:814 814 { (gdb) c Continuing. Breakpoint 1, mutt_substrdup (begin=begin@...ry=0xe4b65e "From:\n\rI\n", end=end@...ry=0xe4b662 ":\n\rI\n") at lib.c:814 814 { (gdb) c Continuing. Breakpoint 1, mutt_substrdup (begin=0xe4b665 "I\n", end=end@...ry=0xe4b664 "\rI\n") at lib.c:814 814 { (gdb) x/s begin 0xe4b665: "I\n" (gdb) x/s end 0xe4b664: "\rI\n" (gdb) n 818 if (end) (gdb) n 819 len = end - begin; (gdb) n 823 p = safe_malloc (len + 1); (gdb) p len $1 = 18446744073709551615 (gdb) p len + 1 $2 = 0 We haven't looked yet where the overlap occurs, nor have a patch yet. I did have to put "set weed=off" in .muttrc for the issue to present. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
http://dev.mutt.org/trac/ticket/3716
CVE-2014-9116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9116): The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer overflow in the mutt_substrdup function.
http://dev.mutt.org/trac/changeset/0aebf1df4359 Fix should be in 1.5.23-r5
(In reply to Fabian Groffen from comment #3) > http://dev.mutt.org/trac/changeset/0aebf1df4359 > > Fix should be in 1.5.23-r5 Thanks! Is that version ready for stabilization?
Let me test it for a couple more days, but I don't expect major issues.
-r5 seems ok to me
Arches, please test and mark stable: =mail-client/mutt-1.5.23-r5 Target Keywords : "alpha amd64 hppa ia64 ppc ppc64 spark x86" Thank you!
Stable for HPPA.
x86 done
amd64 stable
ia64 stable
ppc stable
ppc64 stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Maintainer(s), Thank you for you for cleanup. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), Thank you for you for cleanup.
This issue was resolved and addressed in GLSA 201701-04 at https://security.gentoo.org/glsa/201701-04 by GLSA coordinator Thomas Deutschmann (whissi).
