Mutt: Buffer overflow in recent versions.

From: Thomas Roessler (roesslerat_private)
Date: Wed Jul 29 1998 - 03:32:40 PDT

  • Next message: Troy Ablan: "Eudora exploit (was Microsoft Security Bulletin (MS98-008))" 

    --24zk1gE8NUlDmwG9
Content-Type: multipart/mixed; boundary=h31gzZEtNLTqOjlF


--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

I've been told that a message from Paul Boehm
<paulat_private> is on it's way to bugtraq about a buffer
overflow in Mutt.  To quote from his message:

>Hi, all (newer??) versions of mutt have got an
>overflowable buffer in parse.c. When sending an specially
>formated Content-Type in the header you can, when putting
>special purpose shellcode that doesn't contain any / ; \n
>and spaces execute arbitary code on the mutt running
>user's system.

Paul proposes a patch against 0.93 which will actually
fix the overflow, but still uses a fixed-size buffer for
things it shouldn't be used for. The attached patch will
go into Mutt 0.93.2(i) which I will release ASAP.

It does also apply to most recent development versions.

tlr

(Current mutt maintainer.)
--=20
Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/~roess=
ler/
     2048/CE6AC6C1 =B7 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1

--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="patch-0.94.1i.tlr.content_type.1"

Index: parse.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/roessler/cvsroot/mutt/parse.c,v
retrieving revision 1.1.1.1.2.3
diff -u -r1.1.1.1.2.3 parse.c
--- parse.c     1998/07/14 09:25:03     1.1.1.1.2.3
+++ parse.c     1998/07/29 10:27:17
@@ -245,8 +245,7 @@
 static void parse_content_type (char *s, BODY *ct)
 {
   char *pc;
-  char buffer[SHORT_STRING];
-  short i =3D 0;
+  char *subtype;
=20
   safe_free((void **)&ct->subtype);
   mutt_free_parameter(&ct->parameter);
@@ -265,16 +264,13 @@
   }
  =20
   /* Now get the subtype */
-  if ((pc =3D strchr(s, '/')))
+  if ((subtype =3D strchr(s, '/')))
   {
-    *pc++ =3D 0;
-    while (*pc && !ISSPACE (*pc) && *pc !=3D ';')
-    {
-      buffer[i++] =3D *pc;
-      pc++;
-    }
-    buffer[i] =3D 0;
-    ct->subtype =3D safe_strdup (buffer);
+    *subtype++ =3D '\0';
+    for(pc =3D subtype; *pc && !ISSPACE(*pc) && *pc !=3D ';'; pc++)
+      ;
+    *pc =3D '\0';
+    ct->subtype =3D safe_strdup (subtype);
   }
=20
   /* Finally, get the major type */
@@ -293,6 +289,8 @@
       ct->subtype =3D safe_strdup ("rfc822");
     else if (ct->type =3D=3D TYPEOTHER)
     {
+      char buffer[SHORT_STRING];
+
       ct->type =3D TYPEAPPLICATION;
       snprintf (buffer, sizeof (buffer), "x-%s", s);
       ct->subtype =3D safe_strdup (buffer);

--h31gzZEtNLTqOjlF--

--24zk1gE8NUlDmwG9
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use

iQEVAwUBNb76Q9ImKUTOasbBAQH8lwf/a14inRA80Gr5ZaVhVDJsmYpzSC7KJ/lo
1+DypbSIWdgfpp/oZKrWv+ZhMJNROhrMz+IUoyvNN92WOI1FI3BvRnF4qJFNs/Sb
G1VLAx7Gax0aKMCUWOrbfssMQIpt859eEOEZe2ttw2ki1gv4JSsbABkZ1P6eAIg8
KG+bYN/1QOwwjXGPLP3QHcHT7fnm6ZADF1cRvIoP2QVVIN1bUsc3p/1NLtmFUL7a
EBaY1hExDZtT2qN5zDC9OLHe43/PoZDp1XFQAkoFYYoDRu3ucukOwTc3uPWjlSy5
6wdh7oXssQvIbC4R3KuqOqZCaVC6B78EyUSigIARRJTyaFJgtI8//w==
=6+5D
-----END PGP SIGNATURE-----

--24zk1gE8NUlDmwG9--

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:43 PDT