mutt: Buffer overflow in handler.c possibly allows code execution by maliciously crafted email
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mutt (Debian) |
Fix Released
|
Unknown
|
|||
mutt (Ubuntu) |
Invalid
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #323956 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Fri, 19 Aug 2005 15:03:28 +0200
From: Daniel Leidert <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mutt: Buffer overflow in handler.c possibly allows code execution by
maliciously crafted email
Package: mutt
Version: 1.5.10-1
Severity: grave
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This report was posted on full-disclosure. Please have a look at
http://
for more info.
Regards, Daniel
- -- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (850, 'unstable'), (700, 'testing'), (500, 'oldstable'), (500, 'stable'), (110, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.03050816
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=
Versions of packages mutt depends on:
ii exim [mail-transport
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libdb4.3 4.3.28-3 Berkeley v4.3 Database Libraries [
ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library
ii libidn11 0.5.18-1 GNU libidn library, implementation
ii libncursesw5 5.4-9 Shared libraries for terminal hand
ii libsasl2 2.1.19-1.5 Authentication abstraction library
Versions of packages mutt recommends:
ii locales 2.3.5-3 GNU C Library: National Language (
ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDBdigdg0
n+sbptfZP+
=uoNL
-----END PGP SIGNATURE-----
In Debian Bug tracker #323956, Robert Millan (rmh-aybabtu-com) wrote : tags | #3 |
tags 323956 security
thanks
--
Robert Millan
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <20050820084902
Date: Sat, 20 Aug 2005 10:49:02 +0200
From: Robert Millan <email address hidden>
To: <email address hidden>
Subject: tags
tags 323956 security
thanks
--
Robert Millan
Daniel Robitaille (robitaille) wrote : | #5 |
This was also filled as Mutt's bug #8765 in http://
Martin Pitt (pitti) wrote : | #6 |
Apparently this does not affect mutt in general, but only with some third party
patches. The exploit does not do anything on Ubuntu's mutt. So it is not really
urgent, but I'm leaving this open until this has been investigated more thoroughly.
In Debian Bug tracker #323956, Joey Hess (joeyh) wrote : CVE assignment | #7 |
This hole has been assigned CAN-2005-2642, so please mention that in the
changelog when fixing.
--
see shy jo
Martin Pitt (pitti) wrote : | #8 |
The bug actually was in OpenBSD's libc and does not have anything to do with
mutt itself.
In Debian Bug tracker #323956, ldoolitt (ldoolitt) wrote : doesn't reproduce on my debian box | #9 |
I read the full-disclosure post, and its reply.
http://
Two example mailboxes are given (one in each post),
and it is suggested that the problem is triggered
by a library runtime version mismatch.
I tried both examples on
debian sid x86_64, mutt 1.5.10-1
debian sarge x86, mutt 1.5.9-2
All four combinations (two mailboxes, two debian systems)
ran normally, no crashes or any other unusual behavior.
So this might not apply to debian at all.
- Larry
In Debian Bug tracker #323956, Michelle Konzack (linux4michelle) wrote : Re: Bug#323956: doesn't reproduce on my debian box | #10 |
Am 2005-08-26 16:28:38, schrieb Larry Doolittle:
> I read the full-disclosure post, and its reply.
> http://
> Two example mailboxes are given (one in each post),
> and it is suggested that the problem is triggered
> by a library runtime version mismatch.
>
> I tried both examples on
> debian sid x86_64, mutt 1.5.10-1
> debian sarge x86, mutt 1.5.9-2
> All four combinations (two mailboxes, two debian systems)
> ran normally, no crashes or any other unusual behavior.
> So this might not apply to debian at all.
I can confirm this too
It does not affect Debian, but Mandrake and Redhat... :-)
> - Larry
Greetings
Michelle
--
Linux-User #280138 with the Linux Counter, http://
Michelle Konzack Apt. 917 ICQ #328449886
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
In Debian Bug tracker #323956, Florian Weimer (fw) wrote : | #11 |
* Michelle Konzack:
>> I tried both examples on
>> debian sid x86_64, mutt 1.5.10-1
>> debian sarge x86, mutt 1.5.9-2
>> All four combinations (two mailboxes, two debian systems)
>> ran normally, no crashes or any other unusual behavior.
>> So this might not apply to debian at all.
>
> I can confirm this too
> It does not affect Debian, but Mandrake and Redhat... :-)
How have you determined this?
Can you rule out that it's not reproducible with some other charset?
In Debian Bug tracker #323956, ldoolitt (ldoolitt) wrote : | #12 |
I summarized my "research" with:
> [T]his might not apply to debian at all.
Michelle Konzack chimed in with:
> It does not affect Debian, but Mandrake and Redhat... :-)
Florian Weimer asked:
> Can you rule out that it's not reproducible with some other charset?
I can't rule anything out. If I understand the bug reports
and examples correctly, the charset in question is the one
specified in the e-mail header, and is therefore part of
the example mbox files. The only technical discussion I
can find on-line is on the mutt mailing list:
http://
and that faded away without resolution a month ago. There
is no (current & relevant) activity regarding handler.c
in the mutt CVS tree. Tamotsu's patch has been ignored.
So this still looks to me like a non-bug for Debian.
If the mutt developers don't understand and can't reproduce
it, I'm reluctant to spend much effort on the Debian side.
If Michelle has personally confirmed it affects Mandrake and
Redhat, maybe (s)he can use one of those systems to try the
test program posted by Thomas Roessler at
http://
For the record, my debian sid system gives the result
rv = 0, errno = 0 (?)
'AAAAAAAAAAAAAA
- Larry
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 16:54:13 -0400
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CVE assignment
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-
Content-
This hole has been assigned CAN-2005-2642, so please mention that in the
changelog when fixing.
--=20
see shy jo
--zYM0uCDKw75PZbzx
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDCjt1d8H
jEV/XfYB2xpGL8h
=B9Gs
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZ
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <20050826232838
Date: Fri, 26 Aug 2005 16:28:38 -0700
From: Larry Doolittle <email address hidden>
To: <email address hidden>
Subject: doesn't reproduce on my debian box
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-
I read the full-disclosure post, and its reply.
http://
Two example mailboxes are given (one in each post),
and it is suggested that the problem is triggered
by a library runtime version mismatch.
I tried both examples on
debian sid x86_64, mutt 1.5.10-1
debian sarge x86, mutt 1.5.9-2
All four combinations (two mailboxes, two debian systems)
ran normally, no crashes or any other unusual behavior.
So this might not apply to debian at all.
- Larry
--8t9RHnE3ZwKMSgU+
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDD6WmPCV
XDDf9HjKu0lDDfT
=obUk
-----END PGP SIGNATURE-----
--8t9RHnE3ZwKMS
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Sat, 27 Aug 2005 04:01:28 +0200
From: Michelle Konzack <email address hidden>
To: Larry Doolittle <email address hidden>,
<email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box
--N5iGxCIPT7YMRg16
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Am 2005-08-26 16:28:38, schrieb Larry Doolittle:
> I read the full-disclosure post, and its reply.
> http://
> Two example mailboxes are given (one in each post),
> and it is suggested that the problem is triggered
> by a library runtime version mismatch.
>=20
> I tried both examples on
> debian sid x86_64, mutt 1.5.10-1
> debian sarge x86, mutt 1.5.9-2
> All four combinations (two mailboxes, two debian systems)
> ran normally, no crashes or any other unusual behavior.
> So this might not apply to debian at all.
I can confirm this too
It does not affect Debian, but Mandrake and Redhat... :-)
> - Larry
Greetings
Michelle
--=20
Linux-User #280138 with the Linux Counter, http://
Michelle Konzack Apt. 917 ICQ #328449886
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
--N5iGxCIPT7YMRg16
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFDD8l3C0F
Ik3z38ZnlKSgFzm
=/P6y
-----END PGP SIGNATURE-----
--N5iGxCIPT7YMR
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Sun, 18 Sep 2005 14:14:59 +0200
From: Florian Weimer <email address hidden>
To: Michelle Konzack <email address hidden>
Cc: <email address hidden>, Larry Doolittle <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box
* Michelle Konzack:
>> I tried both examples on
>> debian sid x86_64, mutt 1.5.10-1
>> debian sarge x86, mutt 1.5.9-2
>> All four combinations (two mailboxes, two debian systems)
>> ran normally, no crashes or any other unusual behavior.
>> So this might not apply to debian at all.
>
> I can confirm this too
> It does not affect Debian, but Mandrake and Redhat... :-)
How have you determined this?
Can you rule out that it's not reproducible with some other charset?
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <20050919161300
Date: Mon, 19 Sep 2005 09:13:00 -0700
From: Larry Doolittle <email address hidden>
To: <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-
I summarized my "research" with:
> [T]his might not apply to debian at all.
Michelle Konzack chimed in with:
> It does not affect Debian, but Mandrake and Redhat... :-)
Florian Weimer asked:
> Can you rule out that it's not reproducible with some other charset?
I can't rule anything out. If I understand the bug reports
and examples correctly, the charset in question is the one
specified in the e-mail header, and is therefore part of
the example mbox files. The only technical discussion I
can find on-line is on the mutt mailing list:
http://
and that faded away without resolution a month ago. There
is no (current & relevant) activity regarding handler.c
in the mutt CVS tree. Tamotsu's patch has been ignored.
So this still looks to me like a non-bug for Debian.
If the mutt developers don't understand and can't reproduce
it, I'm reluctant to spend much effort on the Debian side.
If Michelle has personally confirmed it affects Mandrake and
Redhat, maybe (s)he can use one of those systems to try the
test program posted by Thomas Roessler at
http://
For the record, my debian sid system gives the result
rv = 0, errno = 0 (?)
'AAAAAAAAAAAAAA
- Larry
--sdtB3X0nJg68CQEu
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDLuOMPCV
mW+QvkMKZAC80n5
=8mBH
-----END PGP SIGNATURE-----
--sdtB3X0nJg68C
In Debian Bug tracker #323956, Michelle Konzack (linux4michelle) wrote : | #18 |
I do not know, whether I have already respond to you...
Am 2005-09-18 14:14:59, schrieb Florian Weimer:
> * Michelle Konzack:
> > I can confirm this too
> > It does not affect Debian, but Mandrake and Redhat... :-)
>
> How have you determined this?
>
> Can you rule out that it's not reproducible with some other charset?
Because my Workstation is Multi-User/Lang I have:
ar_MA ar_MA.utf8
de_DE@euro de_DE.utf8
el_GR el_GR.utf8
en_GB en_GB.utf8
en_US
es_ES@euro es_ES.utf8
fr_FR@euro fr_FR.utf8
tr_TR tr_TR.utf8
I have found no problems curently.
Greetings
Michelle
--
Linux-User #280138 with the Linux Counter, http://
Michelle Konzack Apt. 917 ICQ #328449886
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Sat, 15 Oct 2005 16:23:52 +0200
From: Michelle Konzack <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box
--EVTdUHOLdMfS4dQd
Content-Type: text/plain; charset=us-ascii
Content-
Content-
I do not know, whether I have already respond to you...
Am 2005-09-18 14:14:59, schrieb Florian Weimer:
> * Michelle Konzack:
> > I can confirm this too
> > It does not affect Debian, but Mandrake and Redhat... :-)
>=20
> How have you determined this?
>=20
> Can you rule out that it's not reproducible with some other charset?
Because my Workstation is Multi-User/Lang I have:
ar_MA ar_MA.utf8
de_DE@euro de_DE.utf8
el_GR el_GR.utf8
en_GB en_GB.utf8
en_US =20
es_ES@euro es_ES.utf8
fr_FR@euro fr_FR.utf8
tr_TR tr_TR.utf8
I have found no problems curently.
Greetings
Michelle
--=20
Linux-User #280138 with the Linux Counter, http://
Michelle Konzack Apt. 917 ICQ #328449886
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
--EVTdUHOLdMfS4dQd
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFDURD4C0F
LNBgVR2pNFkPehh
=lKkv
-----END PGP SIGNATURE-----
--EVTdUHOLdMfS4
In Debian Bug tracker #323956, Frank Lichtenheld (djpig) wrote : tagging 323956 | #20 |
# Automatically generated email from bts, devscripts version 2.9.7
# let the further handling of the bug to the maintainer but reflect the current state of the discussion
tags 323956 unreproducible
Debian Bug Importer (debzilla) wrote : | #21 |
Message-Id: <email address hidden>
Date: Sat, 29 Oct 2005 01:44:37 +0200
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 323956
# Automatically generated email from bts, devscripts version 2.9.7
# let the further handling of the bug to the maintainer but reflect the current state of the discussion
tags 323956 unreproducible
In Debian Bug tracker #323956, Dato Simó (dato) wrote : Let's close this bug | #22 |
close 323956
thanks
(Way to go about forgetting RC bugs and not noticing mutt not
migrating to testing but occasionally, to forget it the next day.)
So I'm closing this bug. Nor upstream, nor me, not ohter people who
mailed this bug, have been able to reproduce the crash, and I have not
heard of it being successfully obtained on any glibc based system. I
am not really willing to keep this bug open at grave severity when
people repeatedly fail to reproduce it. Upstream sees no problem, if
somebody does, I'll be delighted (well, sort of) to see you come by
with a proof that an explotaible bug is really hiding there.
Cheers,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
As scarce as truth is, the supply has always been in excess of the demand.
-- Josh Billings
Debian Bug Importer (debzilla) wrote : | #23 |
Message-ID: <email address hidden>
Date: Fri, 25 Nov 2005 02:02:00 +0100
From: Adeodato =?utf-8?
To: <email address hidden>
Cc: <email address hidden>
Subject: Let's close this bug
close 323956
thanks
(Way to go about forgetting RC bugs and not noticing mutt not
migrating to testing but occasionally, to forget it the next day.)
So I'm closing this bug. Nor upstream, nor me, not ohter people who
mailed this bug, have been able to reproduce the crash, and I have not
heard of it being successfully obtained on any glibc based system. I
am not really willing to keep this bug open at grave severity when
people repeatedly fail to reproduce it. Upstream sees no problem, if
somebody does, I'll be delighted (well, sort of) to see you come by
with a proof that an explotaible bug is really hiding there.
Cheers,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
As scarce as truth is, the supply has always been in excess of the demand.
-- Josh Billings
In Debian Bug tracker #323956, Daniel Leidert (dleidert-deactivatedaccount) wrote : change my mail address | #24 |
# daniel.
submitter 364535 !
submitter 364837 !
submitter 304084 !
submitter 348680 !
submitter 390783 !
submitter 346316 !
submitter 383495 !
submitter 362066 !
submitter 385670 !
submitter 320210 !
submitter 334536 !
submitter 334537 !
submitter 340993 !
submitter 357066 !
submitter 358693 !
submitter 363326 !
submitter 386492 !
submitter 374836 !
submitter 315085 !
submitter 368557 !
submitter 373770 !
submitter 366282 !
submitter 357038 !
submitter 316402 !
submitter 319102 !
submitter 323956 !
submitter 341789 !
submitter 343251 !
submitter 348598 !
submitter 358071 !
submitter 358368 !
submitter 364758 !
submitter 364810 !
submitter 373643 !
submitter 374222 !
submitter 374225 !
submitter 376223 !
submitter 380231 !
submitter 380423 !
submitter 388336 !
submitter 388345 !
submitter 388346 !
submitter 368407 !
submitter 316401 !
submitter 316462 !
submitter 319224 !
submitter 328100 !
submitter 328449 !
submitter 328883 !
submitter 333182 !
submitter 333433 !
submitter 334784 !
submitter 336674 !
submitter 360939 !
submitter 365727 !
submitter 367368 !
submitter 368960 !
submitter 378239 !
submitter 383267 !
submitter 314494 !
submitter 315822 !
submitter 317150 !
submitter 336831 !
submitter 339938 !
submitter 345713 !
submitter 348094 !
submitter 353503 !
submitter 360859 !
submitter 361540 !
submitter 362251 !
submitter 362679 !
submitter 362681 !
submitter 365433 !
submitter 366248 !
submitter 372314 !
submitter 376267 !
submitter 385915 !
submitter 387064 !
submitter 317352 !
submitter 318163 !
submitter 343932 !
submitter 352634 !
submitter 353557 !
submitter 355055 !
submitter 362065 !
submitter 364534 !
submitter 364536 !
submitter 367001 !
submitter 369014 !
submitter 383463 !
submitter 313611 !
submitter 313614 !
submitter 317472 !
submitter 317931 !
submitter 324620 !
submitter 335523 !
submitter 338996 !
submitter 341553 !
submitter 342189 !
submitter 348458 !
submitter 365246 !
submitter 366239 !
submitter 367694 !
submitter 369007 !
submitter 370683 !
submitter 381062 !
submitter 383408 !
submitter 389642 !
# daniel.
submitter 286559 !
submitter 286868 !
thanks
Automatically imported from Debian bug report #323956 http:// bugs.debian. org/323956