Package: mutt
Version: 1.5.11+cvs20060126-2
Severity: grave
Tags: security
Justification: user security hole
Mutt doesn't filter control characters, in particular the ^J and ^M,
from headers, which can lead to unwanted behavior; in particular when
replying, the reply can be sent to a 3rd address given in the Subject
(and the user won't probably notice it). More details are given here:
http://bugs.mutt.org/cgi-bin/gnatsweb.pl?debug=&database=mutt&cmd=view+audit-trail&cmd=view&pr=2173
I've attached:
* A test mailbox.
* The patch by TAKAHASHI Tamotsu, which includes the second fix
(in mbyte.c) from 2006-03-15.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.4-20051215
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages mutt depends on:
ii exim4 4.60-5 metapackage to ease exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.60-5 lightweight exim MTA (v4) daemon
ii libc6 2.3.6-3 GNU C Library: Shared libraries an
ii libdb4.3 4.3.29-5 Berkeley v4.3 Database Libraries [
ii libgnutls12 1.2.9-2 the GNU TLS library - runtime libr
ii libidn11 0.5.18-2 GNU libidn library, implementation
ii libncursesw5 5.5-1 Shared libraries for terminal hand
ii libsasl2 2.1.19-1.9 Authentication abstraction library
Versions of packages mutt recommends:
ii locales 2.3.6-3 GNU C Library: National Language (
ii mime-support 3.36-1 MIME files 'mime.types' & 'mailcap
-- no debconf information
>From [EMAIL PROTECTED] Thu Mar 2 15:15:36 2006
From: =?shift-jis?B??= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: =?UTF-8?Q?Test_for_Mutt_bug_2173=0D=0ACc:[EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Test for Mutt bug 2173:
http://bugs.mutt.org/cgi-bin/gnatsweb.pl?debug=&database=mutt&cmd=view+audit-trail&cmd=view&pr=2173
Possible header spoofing in pager display and in replies with $edit_headers.
diff -r a8003c55a83e mbyte.c
--- a/mbyte.c Wed Mar 1 11:02:27 2006
+++ b/mbyte.c Sat Mar 4 23:44:29 2006
@@ -469,3 +469,36 @@
{
return Charset_is_utf8 ? 0xfffd : '?';
}
+
+int mutt_filter_unprintable (char **s)
+{
+ BUFFER *b = NULL;
+ wchar_t wc;
+ size_t k, k2;
+ char scratch[MB_LEN_MAX + 1];
+ char *p = *s;
+ mbstate_t mbstate1, mbstate2;
+
+ if (!(b = mutt_buffer_init (b)))
+ return -1;
+ memset (&mbstate1, 0, sizeof (mbstate1));
+ memset (&mbstate2, 0, sizeof (mbstate2));
+ for (; (k = mbrtowc (&wc, p, MB_LEN_MAX, &mbstate1)); p += k)
+ {
+ if (k == (size_t)(-1) || k == (size_t)(-2))
+ {
+ k = 1;
+ wc = replacement_char();
+ }
+ if (!IsWPrint (wc))
+ wc = '?';
+ k2 = wcrtomb (scratch, wc, &mbstate2);
+ scratch[k2] = '\0';
+ mutt_buffer_addstr (b, scratch);
+ }
+ FREE (s);
+ *s = b->data ? b->data : safe_calloc(1,1);
+ FREE (&b);
+ return 0;
+}
+
diff -r a8003c55a83e protos.h
--- a/protos.h Wed Mar 1 11:02:27 2006
+++ b/protos.h Sat Mar 4 23:44:29 2006
@@ -181,6 +181,7 @@
void mutt_edit_content_type (HEADER *, BODY *, FILE *);
void mutt_edit_file (const char *, const char *);
void mutt_edit_headers (const char *, const char *, HEADER *, char *, size_t);
+int mutt_filter_unprintable (char **);
void mutt_curses_error (const char *, ...);
void mutt_curses_message (const char *, ...);
void mutt_enter_command (void);
diff -r a8003c55a83e rfc2047.c
--- a/rfc2047.c Wed Mar 1 11:02:27 2006
+++ b/rfc2047.c Sat Mar 4 23:44:29 2006
@@ -705,6 +705,7 @@
if (charset)
mutt_convert_string (&d0, charset, Charset, M_ICONV_HOOK_FROM);
+ mutt_filter_unprintable (&d0);
strfcpy (d, d0, len);
FREE (&charset);
FREE (&d0);
diff -r a8003c55a83e rfc2231.c
--- a/rfc2231.c Wed Mar 1 11:02:27 2006
+++ b/rfc2231.c Sat Mar 4 23:44:29 2006
@@ -131,6 +131,7 @@
s = rfc2231_get_charset (p->value, charset, sizeof (charset));
rfc2231_decode_one (p->value, s);
mutt_convert_string (&p->value, charset, Charset, M_ICONV_HOOK_FROM);
+ mutt_filter_unprintable (&p->value);
*last = p;
last = &p->next;
