Bug#827189: crashes with `free(): invalid next size` when sending to long addresses with gpgme and opportunistic encryption

[chrysn]

Package: mutt
Version: 1.6.1-1
Severity: normal

with very long recipient addresses (as for example used by github in
reply-to for their issue tracker) with gpgme and opportunistic
encryption enabled, mutt crashes with:

    *** Error in `mutt': free(): invalid next size (fast): 0x0000000001b163e0 
***
    ======= Backtrace: =========
    /lib/x86_64-linux-gnu/libc.so.6(+0x71fc5)[0x7f6d42d00fc5]
    /lib/x86_64-linux-gnu/libc.so.6(+0x77966)[0x7f6d42d06966]
    /lib/x86_64-linux-gnu/libc.so.6(+0x7814e)[0x7f6d42d0714e]
    mutt[0x473654]
    mutt[0x47cbac]
    mutt[0x4816c5]
    mutt[0x4141ff]
    mutt[0x4142ad]
    mutt[0x46514b]
    mutt[0x408981]
    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6d42caf5f0]
    [...]
    Aborted

the behavior can be reproduced in a blank user with the following steps:

* create a .muttrc with `set crypt_use_gpgme` and
  `set crypt_opportunistic_encrypt`
* start mutt as
  `mutt 'xxxxxxxxxxxxxx 
<xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...@xxxxxxxxxxxx.xyz>'`
* (confirm creation of new mailbox)
* leave recipient as mutt suggests it
* enter a subect
* (mutt opens vim) enter a line
* mutt crashes

i've observed the behavior in 1.6.0-1, and refined it to the above
example using mutt 1.6.1-1.


best regards
chrysn

-- Package-specific info:
Mutt 1.6.1 (2016-04-27)
Copyright (C) 1996-2016 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 4.7.0-rc3+ (x86_64)
libidn: 1.32 (compiled with 1.32)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 5.3.1-19' 
--with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs 
--enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr 
--program-suffix=-5 --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu 
--enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object 
--disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib 
--disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo 
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home 
--with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 
--with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar 
--enable-objc-gc --enable-multiarch --with-arch-32=i686 --with-abi=m64 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic 
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu 
--target=x86_64-linux-gnu
Thread model: posix
gcc version 5.3.1 20160509 (Debian 5.3.1-19) 

Configure options: '--prefix=/usr' '--sysconfdir=/etc' 
'--mandir=/usr/share/man' '--with-docdir=/usr/share/doc' 
'--with-mailpath=/var/mail' '--disable-dependency-tracking' 
'--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' 
'--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' '--with-curses' 
'--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' '--with-sasl' 
'--without-gdbm' '--without-bdb' '--without-qdbm' '--build' 'x86_64-linux-gnu' 
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time 
-D_FORTIFY_SOURCE=2 -I/usr/include/qdbm'

Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -Wall

Compile options:
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME 
+DEBUG +DL_STANDALONE +ENABLE_NLS -EXACT_ADDRESS -HOMESPOOL -LOCALES_HACK 
-SUN_ATTACHMENT +HAVE_BKGDSET +HAVE_COLOR +HAVE_CURS_SET +HAVE_GETADDRINFO 
+HAVE_GETSID +HAVE_ICONV +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR 
+HAVE_LIBIDN +HAVE_META +HAVE_REGCOMP +HAVE_RESIZETERM +HAVE_START_COLOR 
+HAVE_TYPEAHEAD +HAVE_WC_FUNCS +ICONV_NONTRANS +COMPRESSED +USE_DOTLOCK 
+USE_FCNTL -USE_FLOCK -USE_GNU_REGEX +USE_GSS +USE_HCACHE +USE_IMAP +USE_POP 
+USE_SASL +USE_SETGID +USE_SMTP +USE_SSL_GNUTLS -USE_SSL_OPENSSL 
-DOMAIN
MIXMASTER="mixmaster"
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
To contact the developers, please mail to <mutt-...@mutt.org>.
To report a bug, please visit http://bugs.mutt.org/.

misc/am-maintainer-mode.patch
neomutt/11-ifdef.patch
neomutt/14-trash.patch
neomutt-devel/sensible-browser.patch
features/compressed-folders.patch
features/compressed-folders.debian.patch
debian-specific/Muttrc.patch
debian-specific/Md.etc_mailname_gethostbyname.patch
debian-specific/use_usr_bin_editor.patch
debian-specific/correct_docdir_in_man_page.patch
debian-specific/dont_document_not_present_features.patch
debian-specific/document_debian_defaults.patch
debian-specific/assumed_charset-compat.patch
debian-specific/467432-write_bcc.patch
debian-specific/566076-build_doc_adjustments.patch
misc/gpg.rc-paths.patch
misc/smime.rc.patch
upstream/528233-readonly-open.patch
upstream/228671-pipe-mime.patch
upstream/383769-score-match.patch
upstream/771125-CVE-2014-9116-jessie.patch
upstream/path_max.patch
upstream/809802_timeout_hook.patch
__separator__mutt.org.patch

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-rc3+ (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages mutt depends on:
ii  libassuan0        2.4.2-3
ii  libc6             2.22-11
ii  libcomerr2        1.43.1-1
ii  libgnutls30       3.4.13-1
ii  libgpg-error0     1.22-2
ii  libgpgme11        1.6.0-3
ii  libgssapi-krb5-2  1.14.2+dfsg-1
ii  libidn11          1.32-3.1
ii  libk5crypto3      1.14.2+dfsg-1
ii  libkrb5-3         1.14.2+dfsg-1
ii  libncursesw5      6.0+20160319-1
ii  libsasl2-2        2.1.26.dfsg1-15
ii  libtinfo5         6.0+20160319-1
ii  libtokyocabinet9  1.4.48-10

Versions of packages mutt recommends:
ii  libsasl2-modules  2.1.26.dfsg1-15
ii  locales           2.22-11
ii  mime-support      3.60

Versions of packages mutt suggests:
ii  aspell                             0.60.7~20110707-3+b1
ii  ca-certificates                    20160104
ii  gnupg                              1.4.20-6
pn  mixmaster                          <none>
ii  nullmailer [mail-transport-agent]  1:1.13-1+b1
ii  openssl                            1.0.2h-1
pn  urlview                            <none>

Versions of packages mutt is related to:
ii  mutt          1.6.1-1
pn  mutt-dbg      <none>
pn  mutt-patched  <none>

-- no debconf information

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom

signature.asc
Description: PGP signature