Bug#771125: marked as done (mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with begin > end, leading to crash)

Debian Bug Tracking System Mon, 08 Dec 2014 07:33:59 -0800

Your message dated Mon, 08 Dec 2014 15:32:41 +0000
with message-id <e1xy0ij-00069y...@franck.debian.org>
and subject line Bug#771125: fixed in mutt 1.5.21-6.2+deb7u3
has caused the Debian Bug report #771125,
regarding mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with 
begin > end, leading to crash
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
771125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mutt
Version: 1.5.23-1.1
Tags: security

mutt segfaults when trying to show the attached message. (You might need to disable header weeding to trigger the crash.)


Backtrace:

#0  __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:90
#1  0x080b74fa in memcpy (__len=4294967295, __src=0x8a45b65, __dest=0x8a45b65) 
at /usr/include/i386-linux-gnu/bits/string3.h:51
#2  mutt_substrdup (begin=0x8a45b65 "I\n", end=0x8a45b64 "\rI\n") at 
../lib.c:824
#3  0x080ac13f in write_one_header (fp=0x8a45b65, pfxw=0, max=2147483647, wraplen=180, pfx=0x0, 
start=0x8a45b5e "From:\n\rI\n", end=0x8a45b64 "\rI\n", flags=262164) at 
../sendlib.c:1818
#4  0x080aefaa in mutt_write_one_header (fp=0x8a45900, tag=0x8a45b5e "From:\n\rI\n", 
value=0x8a45b63 "\n\rI\n", pfx=0x0, wraplen=180, flags=262164) at ../sendlib.c:1894
#5  0x0806248a in mutt_copy_hdr (in=0x0, out=0x8a45900, off_start=622720505018843140, 
off_end=<optimized out>, flags=262164, prefix=0x0) at ../copy.c:290
#6  0x08062bad in mutt_copy_header (in=0x7fffffff, h=0x8a44668, out=0x8a45900, 
flags=262164, prefix=0x0) at ../copy.c:351
#7  0x08062fbf in _mutt_copy_message (fpout=0x8a45900, fpin=0x8a3b3e8, 
hdr=0x8a44668, body=0x8a44750, flags=76, chflags=262164) at ../copy.c:571
#8  0x0806363b in mutt_copy_message (fpout=0x8a45900, src=0x8a3b910, 
hdr=0x8a44668, flags=76, chflags=262164) at ../copy.c:688
#9  0x0805c3b6 in mutt_display_message (cur=0x8a44668) at ../commands.c:148
#10 0x08068e9a in mutt_index_menu () at ../curs_main.c:1227
#11 0x0804e696 in main (argc=<optimized out>, argv=0xffc99284) at ../main.c:1056


This bug was brought to you by American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mutt depends on:
ii  libassuan0         2.1.2-2
ii  libc6              2.19-13
ii  libcomerr2         1.42.12-1
ii  libgnutls-deb0-28  3.3.8-5
ii  libgpg-error0      1.17-2
ii  libgpgme11         1.5.1-6
ii  libgssapi-krb5-2   1.12.1+dfsg-15
ii  libidn11           1.29-1
ii  libk5crypto3       1.12.1+dfsg-15
ii  libkrb5-3          1.12.1+dfsg-15
ii  libncursesw5       5.9+20140913-1
ii  libsasl2-2         2.1.26.dfsg1-12
ii  libtinfo5          5.9+20140913-1
ii  libtokyocabinet9   1.4.48-3

--
Jakub Wilk

crasher.mbox.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: mutt
Source-Version: 1.5.21-6.2+deb7u3

We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Radici <anto...@dyne.org> (supplier of updated mutt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Nov 2014 17:10:22 +0000
Source: mutt
Binary: mutt mutt-patched mutt-dbg
Architecture: source amd64
Version: 1.5.21-6.2+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Antonio Radici <anto...@dyne.org>
Changed-By: Antonio Radici <anto...@dyne.org>
Description: 
 mutt       - text-based mailreader supporting MIME, GPG, PGP and threading
 mutt-dbg   - debugging symbols for mutt
 mutt-patched - Mutt Mail User Agent with extra patches
Closes: 771125
Changes: 
 mutt (1.5.21-6.2+deb7u3) wheezy-security; urgency=high
 .
   * Fix an incorrect use of mutt_substrdup() in write_one_header() reported in
     CVE-2014-0467 (Closes: 771125)
Checksums-Sha1: 
 e81a3acb65090030b03b59eb97cfe5630b54e581 2174 mutt_1.5.21-6.2+deb7u3.dsc
 b9c40003c06d53e678be01b69e271ae3e3b768a7 185096 mutt_1.5.21-6.2+deb7u3.diff.gz
 b96e8feed24508805930ecfe3654c43ee8ee8693 1388878 
mutt_1.5.21-6.2+deb7u3_amd64.deb
 4cd6cd4926a51e233e4eddadefa0776e462adf6a 374888 
mutt-patched_1.5.21-6.2+deb7u3_amd64.deb
 727222b191004c4d12f726f8faa1b25206848e6d 1200158 
mutt-dbg_1.5.21-6.2+deb7u3_amd64.deb
Checksums-Sha256: 
 7502f360684050bcf4870bc71ed60062c06b2eefdbe6d56ae46ee95879519966 2174 
mutt_1.5.21-6.2+deb7u3.dsc
 fb4bf0c9fed7aa8969f0d22e0af27f2f245754f2107aac2ae1d2787de69a57af 185096 
mutt_1.5.21-6.2+deb7u3.diff.gz
 3a36dbd3ff4b4f92479b9318c6c9b2d8a66842d88e75409bee99e659dcf2abfd 1388878 
mutt_1.5.21-6.2+deb7u3_amd64.deb
 b628b7a6138343b17279eaac8a0247fec4d8c798fa867960fff2747b21df1d08 374888 
mutt-patched_1.5.21-6.2+deb7u3_amd64.deb
 46735aee0aabef27fc8c4b5c0e1b0db4449e68bf4f2685ba43f7d5ebe2744b7b 1200158 
mutt-dbg_1.5.21-6.2+deb7u3_amd64.deb
Files: 
 fae84aca6fd336e848f790b475f70d58 2174 mail standard mutt_1.5.21-6.2+deb7u3.dsc
 f67209091cca82999bac93eb72fc7149 185096 mail standard 
mutt_1.5.21-6.2+deb7u3.diff.gz
 e30ac002a09416cf81fc1378bfdf63a0 1388878 mail standard 
mutt_1.5.21-6.2+deb7u3_amd64.deb
 bbd239eac1fdffa2b93e9fb42510c8a9 374888 mail extra 
mutt-patched_1.5.21-6.2+deb7u3_amd64.deb
 642374362e2b7cb7d02b7cfb11f29d0d 1200158 debug extra 
mutt-dbg_1.5.21-6.2+deb7u3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJUegpZAAoJEDXIyIhyyx7twgoQALogTrLqjscvyOZ1Rj/UWgVX
gXO84YbPYy/DFiiBpJ2bNglv5Jv6HHtIv18u6F8gk2L6RHlLIRMDy1TmPrnI+vZW
imdmzvbrloKBR1bYqRy4ycaEgvcBXynuubm8sRC98qGqDt1zm37B++Q5sLEdh7hN
QY7UbP4YDLenL4dDfhub0APTZ7S+kAYuBWw1zzepY1qOJi7QPvp+OKMXalcWvIsL
Qjhvvnb4zpNWwqQ6/KJLMxuAFdQWXrqflBjRUbSUjBBeXqiflUG6ulwgbq5JYqkn
51e3PB/c2Ysxq8aWKEzCtz1KDFCr9d4THuMLD2MHj8LzuARUKK1ns0S4JTAbPxmU
ozclLD3WMGv4yFCv/Gg41DpBHVETZBPkAFwgp4jX3/TM64/80gEDgrZs+yd9ofYM
3C2ewSg3jAWPwz2sA/1mUduCes+PmHKBkQ4cVTjbn4rOLWfg38DaDRUVeQE184vq
S5o9xZPwM4lX9J+dbxMGR02CbBauAaDqSwLjCom7jcGXif8iQB57nK9U7zrU8RLk
2a/ASG4zkaWgIt6CKYcZ8OJuIwCK9EhagTVt6t67BnymgBDBvOapfqpFPdpoPDHw
kZC7v8Y2rxavdOIoacZGYY4zFKUiVzVouRzlqlCq6DFw586P9kyzIhkesRhcVXLc
9gLjywpIa5ejyfmke6xY
=COe4
-----END PGP SIGNATURE-----

--- End Message ---

Bug#771125: marked as done (mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with begin > end, leading to crash)

Reply via email to