mutt: Buffer overflow in handler.c possibly allows code execution by maliciously crafted email

Bug #20055 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
mutt (Debian)
Fix Released
Unknown
mutt (Ubuntu)
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #323956 http://bugs.debian.org/323956

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #323956 http://bugs.debian.org/323956

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 19 Aug 2005 15:03:28 +0200
From: Daniel Leidert <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mutt: Buffer overflow in handler.c possibly allows code execution by
 maliciously crafted email

Package: mutt
Version: 1.5.10-1
Severity: grave

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This report was posted on full-disclosure. Please have a look at
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-08/0594.html
for more info.

Regards, Daniel

- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (500, 'oldstable'), (500, 'stable'), (110, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.03050816
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages mutt depends on:
ii exim [mail-transport-agent] 3.36-17 An MTA (Mail Transport Agent)
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libdb4.3 4.3.28-3 Berkeley v4.3 Database Libraries [
ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library
ii libidn11 0.5.18-1 GNU libidn library, implementation
ii libncursesw5 5.4-9 Shared libraries for terminal hand
ii libsasl2 2.1.19-1.5 Authentication abstraction library

Versions of packages mutt recommends:
ii locales 2.3.5-3 GNU C Library: National Language (
ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDBdigdg0kG0+YFBERAmxgAKCNhBK+1LK7Iy4glk3j5KT9e25cUQCfWZHW
n+sbptfZP+rICWNbGahIOn4=
=uoNL
-----END PGP SIGNATURE-----

Revision history for this message
In , Robert Millan (rmh-aybabtu-com) wrote : tags

tags 323956 security
thanks

--
Robert Millan

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <20050820084902.GA5175@aragorn>
Date: Sat, 20 Aug 2005 10:49:02 +0200
From: Robert Millan <email address hidden>
To: <email address hidden>
Subject: tags

tags 323956 security
thanks

--
Robert Millan

Revision history for this message
Daniel Robitaille (robitaille) wrote :

This was also filled as Mutt's bug #8765 in http://bugs.mutt.org/

Revision history for this message
Martin Pitt (pitti) wrote :

Apparently this does not affect mutt in general, but only with some third party
patches. The exploit does not do anything on Ubuntu's mutt. So it is not really
urgent, but I'm leaving this open until this has been investigated more thoroughly.

Revision history for this message
In , Joey Hess (joeyh) wrote : CVE assignment

This hole has been assigned CAN-2005-2642, so please mention that in the
changelog when fixing.

--
see shy jo

Revision history for this message
Martin Pitt (pitti) wrote :

The bug actually was in OpenBSD's libc and does not have anything to do with
mutt itself.

Revision history for this message
In , ldoolitt (ldoolitt) wrote : doesn't reproduce on my debian box

I read the full-disclosure post, and its reply.
  http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-08/0600.html
Two example mailboxes are given (one in each post),
and it is suggested that the problem is triggered
by a library runtime version mismatch.

I tried both examples on
 debian sid x86_64, mutt 1.5.10-1
 debian sarge x86, mutt 1.5.9-2
All four combinations (two mailboxes, two debian systems)
ran normally, no crashes or any other unusual behavior.
So this might not apply to debian at all.

    - Larry

Revision history for this message
In , Michelle Konzack (linux4michelle) wrote : Re: Bug#323956: doesn't reproduce on my debian box

Am 2005-08-26 16:28:38, schrieb Larry Doolittle:
> I read the full-disclosure post, and its reply.
> http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-08/0600.html
> Two example mailboxes are given (one in each post),
> and it is suggested that the problem is triggered
> by a library runtime version mismatch.
>
> I tried both examples on
> debian sid x86_64, mutt 1.5.10-1
> debian sarge x86, mutt 1.5.9-2
> All four combinations (two mailboxes, two debian systems)
> ran normally, no crashes or any other unusual behavior.
> So this might not apply to debian at all.

I can confirm this too
It does not affect Debian, but Mandrake and Redhat... :-)

> - Larry

Greetings
Michelle

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
                   50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)

Revision history for this message
In , Florian Weimer (fw) wrote :

* Michelle Konzack:

>> I tried both examples on
>> debian sid x86_64, mutt 1.5.10-1
>> debian sarge x86, mutt 1.5.9-2
>> All four combinations (two mailboxes, two debian systems)
>> ran normally, no crashes or any other unusual behavior.
>> So this might not apply to debian at all.
>
> I can confirm this too
> It does not affect Debian, but Mandrake and Redhat... :-)

How have you determined this?

Can you rule out that it's not reproducible with some other charset?

Revision history for this message
In , ldoolitt (ldoolitt) wrote :

I summarized my "research" with:
> [T]his might not apply to debian at all.

Michelle Konzack chimed in with:
> It does not affect Debian, but Mandrake and Redhat... :-)

Florian Weimer asked:
> Can you rule out that it's not reproducible with some other charset?

I can't rule anything out. If I understand the bug reports
and examples correctly, the charset in question is the one
specified in the e-mail header, and is therefore part of
the example mbox files. The only technical discussion I
can find on-line is on the mutt mailing list:
  http://comments.gmane.org/gmane.mail.mutt.devel/8379
and that faded away without resolution a month ago. There
is no (current & relevant) activity regarding handler.c
in the mutt CVS tree. Tamotsu's patch has been ignored.

So this still looks to me like a non-bug for Debian.
If the mutt developers don't understand and can't reproduce
it, I'm reluctant to spend much effort on the Debian side.

If Michelle has personally confirmed it affects Mandrake and
Redhat, maybe (s)he can use one of those systems to try the
test program posted by Thomas Roessler at
  http://permalink.gmane.org/gmane.mail.mutt.devel/8383
For the record, my debian sid system gives the result
rv = 0, errno = 0 (?)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*'

      - Larry

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 22 Aug 2005 16:54:13 -0400
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CVE assignment

--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

This hole has been assigned CAN-2005-2642, so please mention that in the
changelog when fixing.

--=20
see shy jo

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDCjt1d8HHehbQuO8RAsoWAJ9xdzi3vXDmZaq9gIiUReI6duO89QCeMR2D
jEV/XfYB2xpGL8hnLNO5HCM=
=B9Gs
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <20050826232838.GA29940@lrd5-64>
Date: Fri, 26 Aug 2005 16:28:38 -0700
From: Larry Doolittle <email address hidden>
To: <email address hidden>
Subject: doesn't reproduce on my debian box

--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I read the full-disclosure post, and its reply.
  http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-08/0600.html
Two example mailboxes are given (one in each post),
and it is suggested that the problem is triggered
by a library runtime version mismatch.

I tried both examples on
 debian sid x86_64, mutt 1.5.10-1
 debian sarge x86, mutt 1.5.9-2
All four combinations (two mailboxes, two debian systems)
ran normally, no crashes or any other unusual behavior.
So this might not apply to debian at all.

    - Larry

--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDD6WmPCVjRKts7ewRApdjAJ9Ex4mDo3/3/cbD1Zb3pRkHTgUEbACfSa3S
XDDf9HjKu0lDDfT/at6kLYA=
=obUk
-----END PGP SIGNATURE-----

--8t9RHnE3ZwKMSgU+--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 27 Aug 2005 04:01:28 +0200
From: Michelle Konzack <email address hidden>
To: Larry Doolittle <email address hidden>,
  <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box

--N5iGxCIPT7YMRg16
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Am 2005-08-26 16:28:38, schrieb Larry Doolittle:
> I read the full-disclosure post, and its reply.
> http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-08/0600.html
> Two example mailboxes are given (one in each post),
> and it is suggested that the problem is triggered
> by a library runtime version mismatch.
>=20
> I tried both examples on
> debian sid x86_64, mutt 1.5.10-1
> debian sarge x86, mutt 1.5.9-2
> All four combinations (two mailboxes, two debian systems)
> ran normally, no crashes or any other unusual behavior.
> So this might not apply to debian at all.

I can confirm this too
It does not affect Debian, but Mandrake and Redhat... :-)

> - Larry

Greetings
Michelle

--=20
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
                   50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)

--N5iGxCIPT7YMRg16
Content-Type: application/pgp-signature; name="signature.pgp"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDD8l3C0FPBMSS+BIRApPqAKDHkEd1GewOaUp6y956mKVuhVP02gCfS2mj
Ik3z38ZnlKSgFzmRdBFfhAo=
=/P6y
-----END PGP SIGNATURE-----

--N5iGxCIPT7YMRg16--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 18 Sep 2005 14:14:59 +0200
From: Florian Weimer <email address hidden>
To: Michelle Konzack <email address hidden>
Cc: <email address hidden>, Larry Doolittle <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box

* Michelle Konzack:

>> I tried both examples on
>> debian sid x86_64, mutt 1.5.10-1
>> debian sarge x86, mutt 1.5.9-2
>> All four combinations (two mailboxes, two debian systems)
>> ran normally, no crashes or any other unusual behavior.
>> So this might not apply to debian at all.
>
> I can confirm this too
> It does not affect Debian, but Mandrake and Redhat... :-)

How have you determined this?

Can you rule out that it's not reproducible with some other charset?

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <20050919161300.GA6279@lrd5-64>
Date: Mon, 19 Sep 2005 09:13:00 -0700
From: Larry Doolittle <email address hidden>
To: <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I summarized my "research" with:
> [T]his might not apply to debian at all.

Michelle Konzack chimed in with:
> It does not affect Debian, but Mandrake and Redhat... :-)

Florian Weimer asked:
> Can you rule out that it's not reproducible with some other charset?

I can't rule anything out. If I understand the bug reports
and examples correctly, the charset in question is the one
specified in the e-mail header, and is therefore part of
the example mbox files. The only technical discussion I
can find on-line is on the mutt mailing list:
  http://comments.gmane.org/gmane.mail.mutt.devel/8379
and that faded away without resolution a month ago. There
is no (current & relevant) activity regarding handler.c
in the mutt CVS tree. Tamotsu's patch has been ignored.

So this still looks to me like a non-bug for Debian.
If the mutt developers don't understand and can't reproduce
it, I'm reluctant to spend much effort on the Debian side.

If Michelle has personally confirmed it affects Mandrake and
Redhat, maybe (s)he can use one of those systems to try the
test program posted by Thomas Roessler at
  http://permalink.gmane.org/gmane.mail.mutt.devel/8383
For the record, my debian sid system gives the result
rv = 0, errno = 0 (?)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*'

      - Larry

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDLuOMPCVjRKts7ewRAlUqAJ4gxWqv+Eq1ZJ16Som+/p/pirmtuQCgk1p9
mW+QvkMKZAC80n5+9xD0EKE=
=8mBH
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--

Revision history for this message
In , Michelle Konzack (linux4michelle) wrote :

I do not know, whether I have already respond to you...

Am 2005-09-18 14:14:59, schrieb Florian Weimer:
> * Michelle Konzack:

> > I can confirm this too
> > It does not affect Debian, but Mandrake and Redhat... :-)
>
> How have you determined this?
>
> Can you rule out that it's not reproducible with some other charset?

Because my Workstation is Multi-User/Lang I have:

ar_MA ar_MA.utf8
de_DE@euro de_DE.utf8
el_GR el_GR.utf8
en_GB en_GB.utf8
en_US
es_ES@euro es_ES.utf8
                fa_IR.utf8
fr_FR@euro fr_FR.utf8
tr_TR tr_TR.utf8

I have found no problems curently.

Greetings
Michelle

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
                   50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 15 Oct 2005 16:23:52 +0200
From: Michelle Konzack <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#323956: doesn't reproduce on my debian box

--EVTdUHOLdMfS4dQd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I do not know, whether I have already respond to you...

Am 2005-09-18 14:14:59, schrieb Florian Weimer:
> * Michelle Konzack:

> > I can confirm this too
> > It does not affect Debian, but Mandrake and Redhat... :-)
>=20
> How have you determined this?
>=20
> Can you rule out that it's not reproducible with some other charset?

Because my Workstation is Multi-User/Lang I have:

ar_MA ar_MA.utf8
de_DE@euro de_DE.utf8
el_GR el_GR.utf8
en_GB en_GB.utf8
en_US =20
es_ES@euro es_ES.utf8
                fa_IR.utf8
fr_FR@euro fr_FR.utf8
tr_TR tr_TR.utf8

I have found no problems curently.

Greetings
Michelle

--=20
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
                   50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)

--EVTdUHOLdMfS4dQd
Content-Type: application/pgp-signature; name="signature.pgp"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDURD4C0FPBMSS+BIRAsp6AKCSNkWHutYgJXl2AGAIepDfaD5ZLQCgtgE2
LNBgVR2pNFkPehhaB8Gr6ds=
=lKkv
-----END PGP SIGNATURE-----

--EVTdUHOLdMfS4dQd--

Revision history for this message
In , Frank Lichtenheld (djpig) wrote : tagging 323956

# Automatically generated email from bts, devscripts version 2.9.7
 # let the further handling of the bug to the maintainer but reflect the current state of the discussion
tags 323956 unreproducible

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 29 Oct 2005 01:44:37 +0200
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 323956

# Automatically generated email from bts, devscripts version 2.9.7
 # let the further handling of the bug to the maintainer but reflect the current state of the discussion
tags 323956 unreproducible

Revision history for this message
In , Dato Simó (dato) wrote : Let's close this bug

close 323956
thanks

  (Way to go about forgetting RC bugs and not noticing mutt not
  migrating to testing but occasionally, to forget it the next day.)

  So I'm closing this bug. Nor upstream, nor me, not ohter people who
  mailed this bug, have been able to reproduce the crash, and I have not
  heard of it being successfully obtained on any glibc based system. I
  am not really willing to keep this bug open at grave severity when
  people repeatedly fail to reproduce it. Upstream sees no problem, if
  somebody does, I'll be delighted (well, sort of) to see you come by
  with a proof that an explotaible bug is really hiding there.

  Cheers,

--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org

As scarce as truth is, the supply has always been in excess of the demand.
                -- Josh Billings

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 25 Nov 2005 02:02:00 +0100
From: Adeodato =?utf-8?B?U2ltw7M=?= <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Let's close this bug

close 323956
thanks

  (Way to go about forgetting RC bugs and not noticing mutt not
  migrating to testing but occasionally, to forget it the next day.)

  So I'm closing this bug. Nor upstream, nor me, not ohter people who
  mailed this bug, have been able to reproduce the crash, and I have not
  heard of it being successfully obtained on any glibc based system. I
  am not really willing to keep this bug open at grave severity when
  people repeatedly fail to reproduce it. Upstream sees no problem, if
  somebody does, I'll be delighted (well, sort of) to see you come by
  with a proof that an explotaible bug is really hiding there.

  Cheers,

--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org

As scarce as truth is, the supply has always been in excess of the demand.
                -- Josh Billings

Revision history for this message
In , Daniel Leidert (dleidert-deactivatedaccount) wrote : change my mail address

# daniel.leidert.spam[at]gmx.net
submitter 364535 !
submitter 364837 !
submitter 304084 !
submitter 348680 !
submitter 390783 !
submitter 346316 !
submitter 383495 !
submitter 362066 !
submitter 385670 !
submitter 320210 !
submitter 334536 !
submitter 334537 !
submitter 340993 !
submitter 357066 !
submitter 358693 !
submitter 363326 !
submitter 386492 !
submitter 374836 !
submitter 315085 !
submitter 368557 !
submitter 373770 !
submitter 366282 !

submitter 357038 !
submitter 316402 !
submitter 319102 !
submitter 323956 !
submitter 341789 !
submitter 343251 !
submitter 348598 !
submitter 358071 !
submitter 358368 !
submitter 364758 !
submitter 364810 !
submitter 373643 !
submitter 374222 !
submitter 374225 !
submitter 376223 !
submitter 380231 !
submitter 380423 !
submitter 388336 !
submitter 388345 !
submitter 388346 !

submitter 368407 !

submitter 316401 !
submitter 316462 !
submitter 319224 !
submitter 328100 !
submitter 328449 !
submitter 328883 !
submitter 333182 !
submitter 333433 !
submitter 334784 !
submitter 336674 !
submitter 360939 !
submitter 365727 !
submitter 367368 !
submitter 368960 !
submitter 378239 !
submitter 383267 !

submitter 314494 !
submitter 315822 !
submitter 317150 !
submitter 336831 !
submitter 339938 !
submitter 345713 !
submitter 348094 !
submitter 353503 !
submitter 360859 !
submitter 361540 !
submitter 362251 !
submitter 362679 !
submitter 362681 !
submitter 365433 !
submitter 366248 !
submitter 372314 !
submitter 376267 !
submitter 385915 !
submitter 387064 !

submitter 317352 !
submitter 318163 !
submitter 343932 !
submitter 352634 !
submitter 353557 !
submitter 355055 !
submitter 362065 !
submitter 364534 !
submitter 364536 !
submitter 367001 !
submitter 369014 !
submitter 383463 !

submitter 313611 !
submitter 313614 !
submitter 317472 !
submitter 317931 !
submitter 324620 !
submitter 335523 !
submitter 338996 !
submitter 341553 !
submitter 342189 !
submitter 348458 !
submitter 365246 !
submitter 366239 !
submitter 367694 !
submitter 369007 !
submitter 370683 !
submitter 381062 !
submitter 383408 !
submitter 389642 !

# daniel.leidert.linx[at]gmx.de
submitter 286559 !
submitter 286868 !

thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.