Bugzilla – Bug 868115
VUL-0: CVE-2014-0467: mutt: crash due to malicious email
Last modified: 2014-07-07 16:00:19 UTC
CVE-2014-0467 A malformed e-mail can cause a heap based overflow in the "mutt" mailreader, possibly allowing code execution. Sample mail is attached. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0467 https://bugzilla.redhat.com/show_bug.cgi?id=1075860
Created attachment 581942 [details] mutt_killing_message_from_DebianBTS mutt -f thismail then view headers "h"
The SWAMPID for this issue is 56654. This issue was rated as important. Please submit fixed packages until 2014-03-20. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: mutt SLE-10-SP3-TERADATA: mutt SLE-11-SP2: mutt
bugbot adjusting priority
Simple reproducer email: ---- test.email ---- From test@test.dom Thu Mar 13 13:00:20 2014 To: 1@test.dom,2@test.dom 3@test.dom,4@test.dom test -------------------- #> mutt -f test.email then view headers "h" The buffer overflow happens inside the mutt_copy_hdr() function. The this_one_len variable is not set correctly. Fix was already tested successfully. The problem was fixed in mutt-1.5.23. +diff -r 3d5e23a66a1a -r 9bf7593e3c08 copy.c +--- a/copy.c Thu Oct 24 09:55:36 2013 -0700 ++++ b/copy.c Tue Mar 11 09:40:09 2014 -0700 +@@ -254,6 +254,7 @@ + { + if (!address_header_decode (&this_one)) + rfc2047_decode (&this_one); ++ this_one_len = mutt_strlen (this_one); + } + + if (!headers[x]) +
Werner, any news here? The due date for submission is 2014-03-20. Thanks in advance.
i will do mutt fixes, seems easy enough
(In reply to comment #9) Sorry if I ask about, do you have worked on mutt?
yes, all updates are running/in qa
(In reply to comment #11) Thank you very much!
This is an autogenerated message for OBS integration: This bug (868115) was mentioned in https://build.opensuse.org/request/show/227415 Factory / mutt
openSUSE-SU-2014:0434-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 868115 CVE References: CVE-2014-0467 Sources used: openSUSE 13.1 (src): mutt-1.5.21-41.4.1 openSUSE 12.3 (src): mutt-1.5.21-36.4.1
openSUSE-SU-2014:0436-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 868115 CVE References: CVE-2014-0467 Sources used: openSUSE 11.4 (src): mutt-1.5.21-14.21.1
Fixed and released. Closing bug.
Update released for: mutt, mutt-debuginfo, mutt-debugsource Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: mutt, mutt-debuginfo, mutt-debugsource Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0471-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 868115 CVE References: CVE-2014-0467 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): mutt-1.5.17-42.37.1 SUSE Linux Enterprise Server 11 SP3 (src): mutt-1.5.17-42.37.1 SUSE Linux Enterprise Desktop 11 SP3 (src): mutt-1.5.17-42.37.1