Package: mutt Version: 1.5.11+cvs20060126-2 Severity: grave Tags: security Justification: user security hole
Mutt doesn't filter control characters, in particular the ^J and ^M, from headers, which can lead to unwanted behavior; in particular when replying, the reply can be sent to a 3rd address given in the Subject (and the user won't probably notice it). More details are given here: http://bugs.mutt.org/cgi-bin/gnatsweb.pl?debug=&database=mutt&cmd=view+audit-trail&cmd=view&pr=2173 I've attached: * A test mailbox. * The patch by TAKAHASHI Tamotsu, which includes the second fix (in mbyte.c) from 2006-03-15. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14.4-20051215 Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1) Versions of packages mutt depends on: ii exim4 4.60-5 metapackage to ease exim MTA (v4) ii exim4-daemon-light [mail-tran 4.60-5 lightweight exim MTA (v4) daemon ii libc6 2.3.6-3 GNU C Library: Shared libraries an ii libdb4.3 4.3.29-5 Berkeley v4.3 Database Libraries [ ii libgnutls12 1.2.9-2 the GNU TLS library - runtime libr ii libidn11 0.5.18-2 GNU libidn library, implementation ii libncursesw5 5.5-1 Shared libraries for terminal hand ii libsasl2 2.1.19-1.9 Authentication abstraction library Versions of packages mutt recommends: ii locales 2.3.6-3 GNU C Library: National Language ( ii mime-support 3.36-1 MIME files 'mime.types' & 'mailcap -- no debconf information
>From [EMAIL PROTECTED] Thu Mar 2 15:15:36 2006 From: =?shift-jis?B??= <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: =?UTF-8?Q?Test_for_Mutt_bug_2173=0D=0ACc:[EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Test for Mutt bug 2173: http://bugs.mutt.org/cgi-bin/gnatsweb.pl?debug=&database=mutt&cmd=view+audit-trail&cmd=view&pr=2173 Possible header spoofing in pager display and in replies with $edit_headers.
diff -r a8003c55a83e mbyte.c --- a/mbyte.c Wed Mar 1 11:02:27 2006 +++ b/mbyte.c Sat Mar 4 23:44:29 2006 @@ -469,3 +469,36 @@ { return Charset_is_utf8 ? 0xfffd : '?'; } + +int mutt_filter_unprintable (char **s) +{ + BUFFER *b = NULL; + wchar_t wc; + size_t k, k2; + char scratch[MB_LEN_MAX + 1]; + char *p = *s; + mbstate_t mbstate1, mbstate2; + + if (!(b = mutt_buffer_init (b))) + return -1; + memset (&mbstate1, 0, sizeof (mbstate1)); + memset (&mbstate2, 0, sizeof (mbstate2)); + for (; (k = mbrtowc (&wc, p, MB_LEN_MAX, &mbstate1)); p += k) + { + if (k == (size_t)(-1) || k == (size_t)(-2)) + { + k = 1; + wc = replacement_char(); + } + if (!IsWPrint (wc)) + wc = '?'; + k2 = wcrtomb (scratch, wc, &mbstate2); + scratch[k2] = '\0'; + mutt_buffer_addstr (b, scratch); + } + FREE (s); + *s = b->data ? b->data : safe_calloc(1,1); + FREE (&b); + return 0; +} + diff -r a8003c55a83e protos.h --- a/protos.h Wed Mar 1 11:02:27 2006 +++ b/protos.h Sat Mar 4 23:44:29 2006 @@ -181,6 +181,7 @@ void mutt_edit_content_type (HEADER *, BODY *, FILE *); void mutt_edit_file (const char *, const char *); void mutt_edit_headers (const char *, const char *, HEADER *, char *, size_t); +int mutt_filter_unprintable (char **); void mutt_curses_error (const char *, ...); void mutt_curses_message (const char *, ...); void mutt_enter_command (void); diff -r a8003c55a83e rfc2047.c --- a/rfc2047.c Wed Mar 1 11:02:27 2006 +++ b/rfc2047.c Sat Mar 4 23:44:29 2006 @@ -705,6 +705,7 @@ if (charset) mutt_convert_string (&d0, charset, Charset, M_ICONV_HOOK_FROM); + mutt_filter_unprintable (&d0); strfcpy (d, d0, len); FREE (&charset); FREE (&d0); diff -r a8003c55a83e rfc2231.c --- a/rfc2231.c Wed Mar 1 11:02:27 2006 +++ b/rfc2231.c Sat Mar 4 23:44:29 2006 @@ -131,6 +131,7 @@ s = rfc2231_get_charset (p->value, charset, sizeof (charset)); rfc2231_decode_one (p->value, s); mutt_convert_string (&p->value, charset, Charset, M_ICONV_HOOK_FROM); + mutt_filter_unprintable (&p->value); *last = p; last = &p->next;