Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mutt Off-by-one Buffer Overflow in Processing IMAP Messages May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1006405 |
|
CVE Reference: CAN-2003-0167
(Links to External Site)
|
Date: Mar 28 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.3.28 and prior versions
|
Description: A potential buffer overflow vulnerability was reported in the Mutt e-mail client. A remote user may be able to execute arbitrary code.
Byrial Jensen reported that there is a potential buffer overflow caused by an off-by-one error in Mutt's 'imap/util.c' file on line
125. The maximum field width in a sscanf() function call is 1 byte too large.
A remote user (acting as an IMAP server) may be
able to cause a target user's Mutt client to crash or possibly execute arbitrary code when connected to the IMAP server.
[Editor's
note: This was made public in April 2002, but not widely reported on security discussion lists.]
|
Impact: A remote IMAP server may be able to cause a target user's connected Mutt client to crash or execute arbitrary code.
|
Solution: The vendor corrected this flaw in version 1.3.99i and later versions. The latest versions are available at:
http://mutt.org/download.html
|
Vendor URL: www.mutt.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 28 Mar 2003 14:46:41 -0500
Subject: Buffer overflow in imap/util.c
|
List: mutt-dev
Subject: [1.3.28] Patch: Buffer overflow in imap/util.c
From: Byrial Jensen <byrial () image ! dk>
Date: 2002-04-28 20:20:04
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
There is a possible buffer overflow due an off-by-one error in
imap/util.c, line 125. The error is in the maximum field width
indication in the sscanf() call. You must have room in the
receiving buffer for this number of characters /plus a
terminating NULL character/.
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="patch-1.3.28.bj.sscanf_fix.1"
--- imap/util.c~ Sun Jan 13 22:16:34 2002
+++ imap/util.c Sun Apr 28 21:56:29 2002
@@ -122,7 +122,7 @@ int imap_parse_path (const char* path, I
else
{
FREE (&c);
- if (sscanf (path, "{%128[^}]}", tmp) != 1)
+ if (sscanf (path, "{%127[^}]}", tmp) != 1)
return -1;
c = strchr (path, '}');
@@ -140,7 +140,7 @@ int imap_parse_path (const char* path, I
mx->account.flags |= M_ACCT_USER;
}
- if ((n = sscanf (tmp, "%128[^:/]%128s", mx->account.host, tmp)) < 1)
+ if ((n = sscanf (tmp, "%127[^:/]%127s", mx->account.host, tmp)) < 1)
{
dprint (1, (debugfile, "imap_parse_path: NULL host in %s\n", path));
FREE (&mx->mbox);
@@ -148,7 +148,7 @@ int imap_parse_path (const char* path, I
}
if (n > 1) {
- if (sscanf (tmp, ":%hd%128s", &(mx->account.port), tmp) >= 1)
+ if (sscanf (tmp, ":%hd%127s", &(mx->account.port), tmp) >= 1)
mx->account.flags |= M_ACCT_PORT;
if (sscanf (tmp, "/%s", tmp) == 1)
{
--GvXjxJ+pjyke8COw--
|
|
Go to the Top of This SecurityTracker Archive Page
|
