[7459] in bugtraq
Mutt: Buffer overflow in recent versions.
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Wed Jul 29 15:25:03 1998
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG, mutt-users@cs.hmc.edu,
mutt-users@mutt.org, Hanno Wagner <wagner@fitug.de>,
Paul Boehm <paul@boehm.org>, security@debian.org
Date: Wed, 29 Jul 1998 12:32:40 +0200
Reply-To: Thomas Roessler <roessler@MUTT.ORG>
From: Thomas Roessler <roessler@MUTT.ORG>
X-To: mutt-users@cs.hmc.edu, mutt-users@mutt.org
To: BUGTRAQ@NETSPACE.ORG
--24zk1gE8NUlDmwG9
Content-Type: multipart/mixed; boundary=h31gzZEtNLTqOjlF
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
I've been told that a message from Paul Boehm
<paul@boehm.org> is on it's way to bugtraq about a buffer
overflow in Mutt. To quote from his message:
>Hi, all (newer??) versions of mutt have got an
>overflowable buffer in parse.c. When sending an specially
>formated Content-Type in the header you can, when putting
>special purpose shellcode that doesn't contain any / ; \n
>and spaces execute arbitary code on the mutt running
>user's system.
Paul proposes a patch against 0.93 which will actually
fix the overflow, but still uses a fixed-size buffer for
things it shouldn't be used for. The attached patch will
go into Mutt 0.93.2(i) which I will release ASAP.
It does also apply to most recent development versions.
tlr
(Current mutt maintainer.)
--=20
Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/~roess=
ler/
2048/CE6AC6C1 =B7 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="patch-0.94.1i.tlr.content_type.1"
Index: parse.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/roessler/cvsroot/mutt/parse.c,v
retrieving revision 1.1.1.1.2.3
diff -u -r1.1.1.1.2.3 parse.c
--- parse.c 1998/07/14 09:25:03 1.1.1.1.2.3
+++ parse.c 1998/07/29 10:27:17
@@ -245,8 +245,7 @@
static void parse_content_type (char *s, BODY *ct)
{
char *pc;
- char buffer[SHORT_STRING];
- short i =3D 0;
+ char *subtype;
=20
safe_free((void **)&ct->subtype);
mutt_free_parameter(&ct->parameter);
@@ -265,16 +264,13 @@
}
=20
/* Now get the subtype */
- if ((pc =3D strchr(s, '/')))
+ if ((subtype =3D strchr(s, '/')))
{
- *pc++ =3D 0;
- while (*pc && !ISSPACE (*pc) && *pc !=3D ';')
- {
- buffer[i++] =3D *pc;
- pc++;
- }
- buffer[i] =3D 0;
- ct->subtype =3D safe_strdup (buffer);
+ *subtype++ =3D '\0';
+ for(pc =3D subtype; *pc && !ISSPACE(*pc) && *pc !=3D ';'; pc++)
+ ;
+ *pc =3D '\0';
+ ct->subtype =3D safe_strdup (subtype);
}
=20
/* Finally, get the major type */
@@ -293,6 +289,8 @@
ct->subtype =3D safe_strdup ("rfc822");
else if (ct->type =3D=3D TYPEOTHER)
{
+ char buffer[SHORT_STRING];
+
ct->type =3D TYPEAPPLICATION;
snprintf (buffer, sizeof (buffer), "x-%s", s);
ct->subtype =3D safe_strdup (buffer);
--h31gzZEtNLTqOjlF--
--24zk1gE8NUlDmwG9
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
iQEVAwUBNb76Q9ImKUTOasbBAQH8lwf/a14inRA80Gr5ZaVhVDJsmYpzSC7KJ/lo
1+DypbSIWdgfpp/oZKrWv+ZhMJNROhrMz+IUoyvNN92WOI1FI3BvRnF4qJFNs/Sb
G1VLAx7Gax0aKMCUWOrbfssMQIpt859eEOEZe2ttw2ki1gv4JSsbABkZ1P6eAIg8
KG+bYN/1QOwwjXGPLP3QHcHT7fnm6ZADF1cRvIoP2QVVIN1bUsc3p/1NLtmFUL7a
EBaY1hExDZtT2qN5zDC9OLHe43/PoZDp1XFQAkoFYYoDRu3ucukOwTc3uPWjlSy5
6wdh7oXssQvIbC4R3KuqOqZCaVC6B78EyUSigIARRJTyaFJgtI8//w==
=6+5D
-----END PGP SIGNATURE-----
--24zk1gE8NUlDmwG9--
