Bug 1329527

Summary: mutt: plaintext attachment output truncated after null byte
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dkholia, fale, hhorak, jpacner, mmuzila
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-01 11:06:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1329528    
Bug Blocks: 1329529    

Description Andrej Nemec 2016-04-22 07:47:27 UTC 
A vulnerability was found in mutt. The builtin pager would truncate the attachment output after null byte. This might give the attacker the opportunity to provide malicious input, which won't be seen by the victim.

Original bug report (with reproducer):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821951
Comment 1 Andrej Nemec 2016-04-22 07:48:01 UTC 
Created mutt tracking bugs for this issue:

Affects: fedora-all [bug 1329528]
Comment 2 Dhiru Kholia 2016-06-01 11:01:08 UTC 
The user might get confused by the partial rendering of the attachment but the user needs to take further steps (like running arbitrary attachments) to get compromised.
Comment 3 Honza Horak 2016-10-05 13:04:26 UTC 
So we can close bug #1329528 as well, right?
Comment 4 Fabio Alessandro Locati 2016-10-05 13:45:34 UTC 
@Honza, I think that we should do it