Bug#859652: mutt: Crashes when trying to display (or fetch) a specific S/MIME-signed message

Axel Beckert Wed, 05 Apr 2017 07:51:36 -0700

Package: mutt
Version: 1.7.2-1
Severity: important
Tags: security

Dear Maintainer,


for the first time since upgrading to Stretch a few months ago, mutt
crashed when I pressed enter on mail -- both when viewing locally as
well as via IMAP). Starting up mutt again and trying to display that
mail again crashes again, i.e. it seems to be reproducible.

Here's a backtrace made from the coredump:

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007fd336bbc895 in __GI__IO_fputs (str=0x0, fp=0x55b6136a45d0) at 
iofputs.c:33
#2  0x000055b6127122dc in print_smime_keyinfo (msg=0x55b612761572 "Problem 
signature from:", key=key@entry=0x0, s=s@entry=0x7fff04837490, sig=<optimized 
out>, sig=<optimized out>) at ../../crypt-gpgme.c:1375
#3  0x000055b61271282c in show_one_sig_status (ctx=ctx@entry=0x55b6134741c0, 
idx=idx@entry=0, s=s@entry=0x7fff04837490) at ../../crypt-gpgme.c:1491
#4  0x000055b61271332c in verify_one (s=0x7fff04837490, tempfile=<optimized 
out>, is_smime=<optimized out>, sigbdy=<optimized out>, sigbdy=<optimized out>) 
at ../../crypt-gpgme.c:1576
#5  0x000055b61269717e in mutt_signed_handler (a=0x55b61384f900, 
a@entry=0x55b61386e800, s=s@entry=0x7fff04837490) at ../../crypt.c:1005
#6  0x000055b6126bf119 in run_decode_and_handler (b=b@entry=0x55b61386e800, 
s=s@entry=0x7fff04837490, handler=handler@entry=0x55b612696d40 
<mutt_signed_handler>, plaintext=plaintext@entry=0) at ../../handler.c:1697
#7  0x000055b6126bf481 in mutt_body_handler (b=b@entry=0x55b61386e800, 
s=s@entry=0x7fff04837490) at ../../handler.c:1842
#8  0x000055b6126a05fb in _mutt_copy_message (fpout=fpout@entry=0x55b6136a45d0, 
fpin=0x55b6136b9150, hdr=hdr@entry=0x55b61386e260, body=0x55b61386e800, 
flags=flags@entry=2124, chflags=<optimized out>, chflags@entry=262294) at 
../../copy.c:695
#9  0x000055b6126a0b6b in mutt_copy_message (fpout=0x55b6136a45d0, 
src=0x55b612f7bb50, hdr=hdr@entry=0x55b61386e260, flags=flags@entry=2124, 
chflags=262294) at ../../copy.c:783
#10 0x000055b6126987c8 in mutt_display_message (cur=0x55b61386e260) at 
../../commands.c:159
#11 0x000055b6126a7f0c in mutt_index_menu () at ../../curs_main.c:2041
#12 0x000055b612688f16 in main (argc=1, argv=<optimized out>, 
environ=<optimized out>) at ../../main.c:896

Thunderbird can display the mail and says that the S/MIME signature is
not valid.

In case the backtrace above does not suffice to find the issue, I can
probably provide the mail in private.

I'm not 100% sure if this might be a security issue. It is at least
usable as DOS against mutt users and mutt crashes on input received from
untrusted sources. No idea if that might be used for remote code
execution or similar. So to be on the safe side, I'm tagging this as
"security".

Security team: Please remove this tag if you think that this issue does
not validate further investigation from a security point of view.

-- Package-specific info:

NeoMutt 20170113 (1.7.2)
Copyright (C) 1996-2016 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 4.9.0-2-amd64 (x86_64)
libidn: 1.33 (compiled with 1.33)
hcache backends: tokyocabinet

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 6.3.0-2' 
--with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs 
--enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr 
--program-suffix=-6 --program-prefix=x86_64-linux-gnu- --enable-shared 
--enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext 
--enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ 
--enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object 
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie 
--with-system-zlib --disable-browser-plugin --enable-java-awt=gtk 
--enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre 
--enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 
--with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar 
--with-target-system-zlib --enable-objc-gc=auto --enable-multiarch 
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 
--enable-multilib --with-tune=generic --enable-checking=release 
--build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 6.3.0 20161229 (Debian 6.3.0-2) 

Configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' 
'--includedir=\${prefix}/include' '--mandir=\${prefix}/share/man' 
'--infodir=\${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--disable-silent-rules' '--libdir=\${prefix}/lib/x86_64-linux-gnu' 
'--libexecdir=\${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--with-mailpath=/var/mail' 
'--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' 
'--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' 
'--enable-sidebar' '--enable-nntp' '--enable-notmuch' '--disable-fmemopen' 
'--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' 
'--with-sasl' '--without-gdbm' '--without-bdb' '--without-qdbm' 
'--with-tokyocabinet' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 
-fdebug-prefix-map=/build/mutt-K2ak0h/mutt-1.7.2=. -fstack-protector-strong 
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 
-fdebug-prefix-map=/build/mutt-K2ak0h/mutt-1.7.2=. -fstack-protector-strong 
-Wformat -Werror=format-security -fno-delete-null-pointer-checks

Compile options:
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME 
+DEBUG +DL_STANDALONE +ENABLE_NLS -EXACT_ADDRESS -HOMESPOOL -LOCALES_HACK 
-SUN_ATTACHMENT +HAVE_BKGDSET +HAVE_COLOR +HAVE_CURS_SET +HAVE_FUTIMENS 
+HAVE_GETADDRINFO +HAVE_GETSID +HAVE_ICONV +HAVE_LANGINFO_CODESET 
+HAVE_LANGINFO_YESEXPR +HAVE_LIBIDN +HAVE_META +HAVE_REGCOMP +HAVE_RESIZETERM 
+HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_WC_FUNCS +ICONV_NONTRANS 
+USE_COMPRESSED +USE_DOTLOCK +USE_FCNTL -USE_FLOCK -USE_FMEMOPEN -USE_GNU_REGEX 
+USE_GSS +USE_HCACHE +USE_IMAP +USE_NOTMUCH +USE_NNTP +USE_POP +USE_SASL 
+USE_SETGID +USE_SIDEBAR +USE_SMTP +USE_SSL_GNUTLS -USE_SSL_OPENSSL 
-DOMAIN
MIXMASTER="mixmaster"
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"

patch-attach-headers-color-neomutt
patch-compose-to-sender-neomutt
patch-compress-neomutt
patch-cond-date-neomutt
patch-encrypt-to-self-neomutt
patch-fmemopen-neomutt
patch-forgotten-attachments-neomutt
patch-forwref-neomutt
patch-ifdef-neomutt
patch-index-color-neomutt
patch-initials-neomutt
patch-keywords-neomutt
patch-kyoto-neomutt
patch-limit-current-thread-neomutt
patch-lmdb-neomutt
patch-multiple-fcc-neomutt
patch-nested-if-neomutt
patch-new-mail-neomutt
patch-nntp-neomutt
patch-notmuch-neomutt
patch-progress-neomutt
patch-quasi-delete-neomutt
patch-reply-with-xorig-neomutt
patch-sensible-browser-neomutt
patch-sidebar-neomutt
patch-skip-quoted-neomutt
patch-status-color-neomutt
patch-timeout-neomutt
patch-tls-sni-neomutt
patch-trash-neomutt

To learn more about NeoMutt, visit: http://www.neomutt.org/
If you find a bug in NeoMutt, please raise an issue at:
    https://github.com/neomutt/neomutt/issues
or send an email to: <neomutt-de...@neomutt.org>

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages mutt depends on:
ii  libassuan0        2.4.3-2
ii  libc6             2.24-9
ii  libcomerr2        1.43.4-2
ii  libgnutls30       3.5.8-3
ii  libgpg-error0     1.26-2
ii  libgpgme11        1.8.0-3+b2
ii  libgssapi-krb5-2  1.15-1
ii  libidn11          1.33-1
ii  libk5crypto3      1.15-1
ii  libkrb5-3         1.15-1
ii  libncursesw5      6.0+20161126-1
ii  libnotmuch4       0.23.7-3
ii  libsasl2-2        2.1.27~101-g0780600+dfsg-3
ii  libtinfo5         6.0+20161126-1
ii  libtokyocabinet9  1.4.48-11+b1

Versions of packages mutt recommends:
ii  libsasl2-modules  2.1.27~101-g0780600+dfsg-3
ii  locales           2.24-9
ii  mime-support      3.60

Versions of packages mutt suggests:
ii  aspell                          0.60.7~20110707-3+b2
ii  ca-certificates                 20161130
ii  gnupg                           2.1.18-6
ii  ispell                          3.4.00-5
pn  mixmaster                       <none>
ii  openssl                         1.1.0e-1
ii  postfix [mail-transport-agent]  3.1.4-4
pn  urlview                         <none>

Versions of packages mutt is related to:
ii  mutt  1.7.2-1

-- no debconf information

Bug#859652: mutt: Crashes when trying to display (or fetch) a specific S/MIME-signed message

Reply via email to