Bug#771125: marked as done (mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with begin > end, leading to crash)

Debian Bug Tracking System Fri, 05 Dec 2014 11:22:18 -0800

Your message dated Fri, 05 Dec 2014 19:18:54 +0000
with message-id <e1xwyp0-0005dt...@franck.debian.org>
and subject line Bug#771125: fixed in mutt 1.5.20-9+squeeze4
has caused the Debian Bug report #771125,
regarding mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with 
begin > end, leading to crash
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
771125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mutt
Version: 1.5.23-1.1
Tags: security

mutt segfaults when trying to show the attached message. (You might need to disable header weeding to trigger the crash.)


Backtrace:

#0  __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:90
#1  0x080b74fa in memcpy (__len=4294967295, __src=0x8a45b65, __dest=0x8a45b65) 
at /usr/include/i386-linux-gnu/bits/string3.h:51
#2  mutt_substrdup (begin=0x8a45b65 "I\n", end=0x8a45b64 "\rI\n") at 
../lib.c:824
#3  0x080ac13f in write_one_header (fp=0x8a45b65, pfxw=0, max=2147483647, wraplen=180, pfx=0x0, 
start=0x8a45b5e "From:\n\rI\n", end=0x8a45b64 "\rI\n", flags=262164) at 
../sendlib.c:1818
#4  0x080aefaa in mutt_write_one_header (fp=0x8a45900, tag=0x8a45b5e "From:\n\rI\n", 
value=0x8a45b63 "\n\rI\n", pfx=0x0, wraplen=180, flags=262164) at ../sendlib.c:1894
#5  0x0806248a in mutt_copy_hdr (in=0x0, out=0x8a45900, off_start=622720505018843140, 
off_end=<optimized out>, flags=262164, prefix=0x0) at ../copy.c:290
#6  0x08062bad in mutt_copy_header (in=0x7fffffff, h=0x8a44668, out=0x8a45900, 
flags=262164, prefix=0x0) at ../copy.c:351
#7  0x08062fbf in _mutt_copy_message (fpout=0x8a45900, fpin=0x8a3b3e8, 
hdr=0x8a44668, body=0x8a44750, flags=76, chflags=262164) at ../copy.c:571
#8  0x0806363b in mutt_copy_message (fpout=0x8a45900, src=0x8a3b910, 
hdr=0x8a44668, flags=76, chflags=262164) at ../copy.c:688
#9  0x0805c3b6 in mutt_display_message (cur=0x8a44668) at ../commands.c:148
#10 0x08068e9a in mutt_index_menu () at ../curs_main.c:1227
#11 0x0804e696 in main (argc=<optimized out>, argv=0xffc99284) at ../main.c:1056


This bug was brought to you by American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mutt depends on:
ii  libassuan0         2.1.2-2
ii  libc6              2.19-13
ii  libcomerr2         1.42.12-1
ii  libgnutls-deb0-28  3.3.8-5
ii  libgpg-error0      1.17-2
ii  libgpgme11         1.5.1-6
ii  libgssapi-krb5-2   1.12.1+dfsg-15
ii  libidn11           1.29-1
ii  libk5crypto3       1.12.1+dfsg-15
ii  libkrb5-3          1.12.1+dfsg-15
ii  libncursesw5       5.9+20140913-1
ii  libsasl2-2         2.1.26.dfsg1-12
ii  libtinfo5          5.9+20140913-1
ii  libtokyocabinet9   1.4.48-3

--
Jakub Wilk

crasher.mbox.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: mutt
Source-Version: 1.5.20-9+squeeze4

We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated mutt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 04 Dec 2014 19:24:00 +0100
Source: mutt
Binary: mutt mutt-patched mutt-dbg
Architecture: source i386
Version: 1.5.20-9+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Antonio Radici <anto...@dyne.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Description: 
 mutt       - text-based mailreader supporting MIME, GPG, PGP and threading
 mutt-dbg   - debugging symbols for mutt
 mutt-patched - the Mutt Mail User Agent with extra patches
Closes: 771125
Changes: 
 mutt (1.5.20-9+squeeze4) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Fix an incorrect use of mutt_substrdup() in write_one_header()
     reported in CVE-2014-0467 (Closes: #771125)
Checksums-Sha1: 
 ae333f76fa0fe8b39d0b4bdbf891b408eb22802e 2210 mutt_1.5.20-9+squeeze4.dsc
 d2bec7a33771f128ca49b1723b06b6d248a35d31 3635047 mutt_1.5.20.orig.tar.gz
 adea78d9e1082f0735205655075e0f26f2b9b036 171488 mutt_1.5.20-9+squeeze4.diff.gz
 81d54d56dbb16b839b9e21fe22a70ab2c4ca9aeb 2036882 
mutt_1.5.20-9+squeeze4_i386.deb
 643074b4ed7a5f22739585da3a53adfd3e2e3989 390286 
mutt-patched_1.5.20-9+squeeze4_i386.deb
 bb9b849274864d653e7bc5956fbfe961946e5e59 1378096 
mutt-dbg_1.5.20-9+squeeze4_i386.deb
Checksums-Sha256: 
 e348dfc244aebc285cb6d5136ba553a9c62683ce98ead4e2b5dfcf8c34dfa31f 2210 
mutt_1.5.20-9+squeeze4.dsc
 9579fc079d74ff5c89223ff09df402ef4e508ba8ca925c49e74aa09c02a9a796 3635047 
mutt_1.5.20.orig.tar.gz
 357fe43f74502055c2f57720be6ce527ce62b685889956d8c5a2bb7e6e9b43d0 171488 
mutt_1.5.20-9+squeeze4.diff.gz
 c3a94b953ce4febed4c2fd6f04cefe2cad4674e1a7890ae1d4c3833efd825593 2036882 
mutt_1.5.20-9+squeeze4_i386.deb
 b348ff588ab96826c9db12be7db1c86b46789f8cb9ec5627f7306fc6e5ee0d69 390286 
mutt-patched_1.5.20-9+squeeze4_i386.deb
 13a6b99e2195edfe36171fa480f794eceb699b30690f1bfd05362d6b5a2102d2 1378096 
mutt-dbg_1.5.20-9+squeeze4_i386.deb
Files: 
 619aed91ee04d18e2afb07c5440deb0e 2210 mail standard mutt_1.5.20-9+squeeze4.dsc
 027cdd9959203de0c3c64149a7ee351c 3635047 mail standard mutt_1.5.20.orig.tar.gz
 3ac202841013181ebf2b74a515e927b5 171488 mail standard 
mutt_1.5.20-9+squeeze4.diff.gz
 b50937a18fd94cbdb4c39e258cf2eab9 2036882 mail standard 
mutt_1.5.20-9+squeeze4_i386.deb
 0da491f252bebc271e32515e41a49056 390286 mail extra 
mutt-patched_1.5.20-9+squeeze4_i386.deb
 4a32dcd19da2ef1823260b38ca736b0d 1378096 debug extra 
mutt-dbg_1.5.20-9+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUggCUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHt5MP/2qFVJKVoPUQfZbGYztSFh8c
dXNR6qedXdY8wVbUWN7T8gWrUVZtE5ErHWSdSHENXtJUXbDmTZ8k5L50BWtBvkry
bYbox/LoLoqTKDXEvzwoIEi6pLy5UD/EaVxU3lKfSlm3Fibu/v/aX2tEDk/xWOd2
Ad5U/mA1rkd6N+CSoBm75RqbmuqZiVIkyOJRio6CPTqdJbR3xpEwh/fO1UtQw93B
fd54DRPYPON0qc60ctVGPUZGV/2eJNxLEK5QQ2aGEXytdVv1buWNj6HYugDiQe1d
T1x+Nt1ik/46ImSlG79npF5mJozDCuYJ6FPU8Y56X0tNiec2DKnUcwV+c9ZhORX/
zSSYUuH8QE4PXQGxCpsydWOPQfnD3H6SfMomO/2pfuHxDTHg9JCQgi/lE+3GCJKs
PuKxrEr0owcXhwmNFZozQ6+Pxk7UJ7WqmXEIR3GPjKNQDSXv24Vbb6y+TH/H+2N0
2Od66KXXcBRNy1opP3jO7G5tyBgRi+32aGZMcvdxtIabOwDPwY0s4xMFwnbcbFOL
CraTBcMvLINChsP3qFnzTTEfpPlMiFRZvSh+0Cxz/6iseLsLsIUeIv2Ba1dzoJFo
pbz4/4CBMA/ORWnypd5KroveWo1UG5VEcniFOeSSnETeVUjkwkrkqnrOA/0AQ05S
XT1cfUIH9VIwr+upaUNY
=yJeN
-----END PGP SIGNATURE-----

--- End Message ---

Bug#771125: marked as done (mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with begin > end, leading to crash)

Reply via email to