Bugzilla – Bug 907453
VUL-0: CVE-2014-9116: mutt: heap-based buffer overflow in mutt_substrdup()
Last modified: 2015-04-24 08:05:10 UTC
CVE-2014-9116 A heap-based buffer overflow flaw was reported in the mutt_substrdup() function in Mutt. Opening a specially-crafted mail message could cause mutt to crash or, potentially, execute arbitrary code. References: https://bugzilla.redhat.com/show_bug.cgi?id=1168463
bugbot adjusting priority
Hmmm ... IMHO SLES 11 is nt affected. I'd like to see a reproducer
(In reply to Dr. Werner Fink from comment #2) The same for SLE-10-SP3 and later ... reason: then function write_one_header() does not exist and the function mutt_write_one_header() is totally different from mutt-1.5.21
This is an autogenerated message for OBS integration: This bug (907453) was mentioned in https://build.opensuse.org/request/show/264030 12.3 / mutt https://build.opensuse.org/request/show/264031 13.1 / mutt https://build.opensuse.org/request/show/264032 13.2 / mutt
Created attachment 617079 [details] CVE-2014-9116 reproducer mbox 1. Create user crasher. #> useradd -m crasher 2. Copy reproduer file to the spool directory and change ownership. #> gunzip -c crasher.mbox.gz > /var/spool/mail/crasher #> chown crasher:mail /var/spool/mail/crasher 3. Use user crasher, open the email and show header information. #> su - crasher #> mutt I've tested this already with SLES-11-SP3 and the system is not vulnarable. Same should go for SLES-11-SP1 and SLES-10-SP3 but wasn't tested by me.
openSUSE-SU-2014:1635-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 907453 CVE References: CVE-2014-9116 Sources used: openSUSE 13.2 (src): mutt-1.5.21-44.4.1 openSUSE 13.1 (src): mutt-1.5.21-41.8.1 openSUSE 12.3 (src): mutt-1.5.21-36.20.1
Additional note to comment 7: To get the mutt "Segmentation fault" it is necessary to open the email inside the reproducer spool file from "jwilk@jwilk.net" - just select it via cursor and hit enter. Then press 'h' for viewing the header information. That should trigger the crash.
SUSE-SU-2015:0012-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 899712,907453 CVE References: CVE-2014-9116 Sources used: SUSE Linux Enterprise Server 12 (src): mutt-1.5.21-49.1 SUSE Linux Enterprise Desktop 12 (src): mutt-1.5.21-49.1
all updates released
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-04-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61011
SUSE-SU-2015:0758-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 905481,907453 CVE References: CVE-2014-9116 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): mutt-1.5.17-42.39.1 SUSE Linux Enterprise Server 11 SP3 (src): mutt-1.5.17-42.39.1 SUSE Linux Enterprise Desktop 11 SP3 (src): mutt-1.5.17-42.39.1