Bug#426158: mutt: writes past buffer end

Sat, 26 May 2007 13:53:11 -0700 

Package: mutt
Version: 1.5.13-3
Severity: normal
Tags: security

Mutt, in its parsing of "mailto:"; URLs, in some situations writes
after the end of a fixed-size buffer. I'm not sure it is exploitable,
because the data being written is not attacker-controlled (only a null
character), but I'd rather someone more expert than me at security
took a look at it.

It happens in file url.c, function url_parse_mailto, in the else block
of the very last "if" of the file:

    if (!ascii_strcasecmp (tag, "body"))
    {
      if (body)
        mutt_str_replace (body, value);
    }
    else 
    {
      taglen = strlen (tag);
      /* mutt_parse_rfc822_line makes some assumptions */
      snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);
      scratch[taglen] = '\0';
      value = &scratch[taglen+1];
      SKIPWS (value);
      mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last);
    }

scratch is declared like that:

  char scratch[HUGE_STRING];

where (in lib.h):

 # define HUGE_STRING      5120

The line

  scratch[taglen] = '\0';

will write past the end of "scratch". To trigger that, pass as
argument to mutt:

 mailto:[EMAIL PROTECTED]

I propose to add:

  if (taglen > sizeof (scratch))
      taglen = sizeof (scratch) - 2

as a safety.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_LU.UTF-8, LC_CTYPE=fr_LU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mutt depends on:
ii  exim4                    4.67-1          metapackage to ease exim MTA (v4) 
ii  exim4-daemon-heavy [mail 4.67-1          exim MTA (v4) daemon with extended
ii  libc6                    2.5-9           GNU C Library: Shared libraries
ii  libdb4.4                 4.4.20-8        Berkeley v4.4 Database Libraries [
ii  libgnutls13              1.6.2-2         the GNU TLS library - runtime libr
ii  libidn11                 0.6.5-1         GNU libidn library, implementation
ii  libncursesw5             5.6-3           Shared libraries for terminal hand
ii  libsasl2-2               2.1.22.dfsg1-10 Authentication abstraction library

Versions of packages mutt recommends:
ii  locales                       2.5-9      GNU C Library: National Language (
ii  mime-support                  3.39-1     MIME files 'mime.types' & 'mailcap

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to