--24zk1gE8NUlDmwG9 Content-Type: multipart/mixed; boundary=h31gzZEtNLTqOjlF --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I've been told that a message from Paul Boehm <paulat_private> is on it's way to bugtraq about a buffer overflow in Mutt. To quote from his message: >Hi, all (newer??) versions of mutt have got an >overflowable buffer in parse.c. When sending an specially >formated Content-Type in the header you can, when putting >special purpose shellcode that doesn't contain any / ; \n >and spaces execute arbitary code on the mutt running >user's system. Paul proposes a patch against 0.93 which will actually fix the overflow, but still uses a fixed-size buffer for things it shouldn't be used for. The attached patch will go into Mutt 0.93.2(i) which I will release ASAP. It does also apply to most recent development versions. tlr (Current mutt maintainer.) --=20 Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/~roess= ler/ 2048/CE6AC6C1 =B7 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1 --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="patch-0.94.1i.tlr.content_type.1" Index: parse.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/roessler/cvsroot/mutt/parse.c,v retrieving revision 1.1.1.1.2.3 diff -u -r1.1.1.1.2.3 parse.c --- parse.c 1998/07/14 09:25:03 1.1.1.1.2.3 +++ parse.c 1998/07/29 10:27:17 @@ -245,8 +245,7 @@ static void parse_content_type (char *s, BODY *ct) { char *pc; - char buffer[SHORT_STRING]; - short i =3D 0; + char *subtype; =20 safe_free((void **)&ct->subtype); mutt_free_parameter(&ct->parameter); @@ -265,16 +264,13 @@ } =20 /* Now get the subtype */ - if ((pc =3D strchr(s, '/'))) + if ((subtype =3D strchr(s, '/'))) { - *pc++ =3D 0; - while (*pc && !ISSPACE (*pc) && *pc !=3D ';') - { - buffer[i++] =3D *pc; - pc++; - } - buffer[i] =3D 0; - ct->subtype =3D safe_strdup (buffer); + *subtype++ =3D '\0'; + for(pc =3D subtype; *pc && !ISSPACE(*pc) && *pc !=3D ';'; pc++) + ; + *pc =3D '\0'; + ct->subtype =3D safe_strdup (subtype); } =20 /* Finally, get the major type */ @@ -293,6 +289,8 @@ ct->subtype =3D safe_strdup ("rfc822"); else if (ct->type =3D=3D TYPEOTHER) { + char buffer[SHORT_STRING]; + ct->type =3D TYPEAPPLICATION; snprintf (buffer, sizeof (buffer), "x-%s", s); ct->subtype =3D safe_strdup (buffer); --h31gzZEtNLTqOjlF-- --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use iQEVAwUBNb76Q9ImKUTOasbBAQH8lwf/a14inRA80Gr5ZaVhVDJsmYpzSC7KJ/lo 1+DypbSIWdgfpp/oZKrWv+ZhMJNROhrMz+IUoyvNN92WOI1FI3BvRnF4qJFNs/Sb G1VLAx7Gax0aKMCUWOrbfssMQIpt859eEOEZe2ttw2ki1gv4JSsbABkZ1P6eAIg8 KG+bYN/1QOwwjXGPLP3QHcHT7fnm6ZADF1cRvIoP2QVVIN1bUsc3p/1NLtmFUL7a EBaY1hExDZtT2qN5zDC9OLHe43/PoZDp1XFQAkoFYYoDRu3ucukOwTc3uPWjlSy5 6wdh7oXssQvIbC4R3KuqOqZCaVC6B78EyUSigIARRJTyaFJgtI8//w== =6+5D -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:43 PDT