Bug 99610 - [patch] Mutt imap browse buffer overlow; patch from the mutt repository
Summary: [patch] Mutt imap browse buffer overlow; patch from the mutt repository
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-29 15:50 UTC by jpd
Modified: 2006-06-30 00:22 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jpd 2006-06-29 15:50:14 UTC
Quoting http://www.securityfocus.com/bid/18642

  Mutt is prone to a remote buffer-overflow vulnerability. This
  issue is due to the application's failure to properly bounds-check
  user-supplied input before copying it to an insufficiently sized
  memory buffer.

  This issue may allow remote attackers to execute arbitrary machine
  code in the context of the affected application. Failed exploit
  attempts will likely crash the application, denying further service to
  legitimate users.

  Mutt version 1.4.2.1 is reported to be vulnerable. Other versions may
  be affected as well.

Fix: 

The following is a patch taken from the mutt source repository, and
minimally adapted to work with the ports framework. Afterward, mutt
runs. I have verified neither the problem nor whether this fixes it.

From: brendan <brendan>
Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
Subject: From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=dc0272b749f0e2b102973b7ac43dbd3908507540

  From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
  
  Fix browse_get_namespace() which could overflow ns[LONG_STRING].
  (Possible remote vulnerability)
---

--- imap/browse.c.orig
+++ imap/browse.c
@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
 	    if (*s == '\"')
 	    {
 	      s++;
-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
 	      {
 		if (*s == '\\')
 		  s++;
@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
 		s++;
 	    }
 	    else
-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
 	      {
 		ns[n++] = *s;
 		s++;
 	      }
 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
 	    /* delim? */
 	    s = imap_next_word (s);
 	    /* delimiter is meaningless if namespace is "". Why does
Comment 1 Udo.Schweigert 2006-06-29 17:13:48 UTC
This also affects mail/mutt-devel.
The vulnerability is fixed by PRs 99613 and 99614.

Best regards

-- 
Udo Schweigert, Siemens AG   | Voice      : +49 89 636 42170
CT IC CERT, Siemens CERT     | Fax        : +49 89 636 41166
D-81730 Muenchen / Germany   | email      : udo.schweigert@siemens.com
Comment 2 Edwin Groothuis freebsd_committer 2006-06-29 23:57:24 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback
Comment 3 Shaun Amott freebsd_committer 2006-06-30 00:20:14 UTC
State Changed
From-To: feedback->closed

Superseded by ports/99613 and ports/99614.