Bug 152669

Summary: Remotely-triggerable crash in the menu drawing in mutt.
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugs.michael, notting
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.mutt.org/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:23 UTC
A bug was found in the index menu code in versions of mutt. A remote
attacker could send a carefully crafted mail message that can cause mutt
to segfault and possibly execute arbitrary code as the victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0078 to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078
https://rhn.redhat.com/errata/RHSA-2004-051.html#Red%20Hat%20Linux%209



------- Additional Comments From Freedom_Lover 2004-02-11 10:30:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

$ cat /etc/redhat/release
Red Hat Linux release 8.0 (Psyche)

Fixes: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078
Patch: http://marc.theaimsgroup.com/?l=mutt-users&m=107651188213682&w=2

rpm changelog:
Wed Feb 11 2004 Todd Zullinger <Freedom_Lover> 5:1.4.1-0.8.x.1.legacy
 - patch to fix CAN-2004-0078
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078
 - s/Serial/Epoch/
 - s/BuildPrereq/BuildRequires/
 - add BuildRequires: cyrus-sasl-devel

packages and sha1sum:
http://pobox.com/~tmz/legacy/mutt-1.4.1-0.8.x.1.legacy.src.rpm
http://pobox.com/~tmz/legacy/mutt-1.4.1-0.8.x.1.legacy.i386.rpm
http://pobox.com/~tmz/legacy/mutt-1.4.1-0.8.x.1.legacy-sha1sum.asc

2f0e905b5c6aa37cb1eadf8bd555487c41396076  mutt-1.4.1-0.8.x.1.legacy.src.rpm
dad79530d09d49ca3322ff1ffccad3a529057aa2  mutt-1.4.1-0.8.x.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAKpKouv+09NZUB1oRAnP6AKCkjyJgffs2Tn6fBZ2+wTH+j6HefgCgp+H0
Nk2t0PQ7f3ZVsqddDxGDdqY=
=DJMN
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-02-12 01:51:26 ----

* rh9 erratum contains one additional bug-fix

* Todd's package builds fine on rh73, too, as a last resort



------- Additional Comments From matt.phillips.org 2004-02-12 05:10:24 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Update for Red Hat Linux release 7.3 
 
Fixes: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078 
Patch: slightly modified version of 
http://marc.theaimsgroup.com/?l=mutt-users&m=107651188213682&w=2 
 
rpm changelog: 
 
* Thu Feb 12 2004 Matt Phillips <matt.phillips.org> 
- - patch to fix CAN-2004-0078 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0078 
- - s/Serial/Epoch/ 
- - s/BuildPrereq/BuildRequires/ 
 
packages and sha1sum: 
 
http://moses.om.org/mattp/legacy/mutt-1.2.5.1-2.legacy.src.rpm 
http://moses.om.org/mattp/legacy/mutt-1.2.5.1-2.legacy.i386.rpm 
http://moses.om.org/mattp/legacy/mutt-1.2.5.1-2.legacy-sha1sum.asc 
 
81b0b73bb83136522185ebe2f21ec0715d17c555  mutt-1.2.5.1-2.legacy.i386.rpm 
a2084a7b8a957e74fde879a765f7832a21f8e3d3  mutt-1.2.5.1-2.legacy.src.rpm 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFAK5i/nyu2LA2qevQRAp9TAKCs0c64zz/dNqGPcBY+w1N1nIhbGwCeP7lA 
zyvVtRgX+iFzkWCnaBHEBV4= 
=uM3n 
-----END PGP SIGNATURE----- 



------- Additional Comments From bugs.michael 2004-02-12 10:19:45 ----

Attention, Matt Phillips!

Your src.rpm does not apply Patch12. And the patch for mutt 1.4.1 cannot be
modified "slightly" to become compatible with mutt 1.2.5.1. Much more is
required, since the official fix uses a multibyte string formatting helper
function, which is not available in mutt 1.2.5.1.




------- Additional Comments From matt.phillips.org 2004-02-12 10:34:34 ----

Michael Schwendt- 
 
Yes, you're right!  Thought that was a little too easy.  Reworking it now. 



------- Additional Comments From Freedom_Lover 2004-02-12 10:50:36 ----

Regarding the 1.2.5.1 patches and not being a C guru, are any of you guys that
are capable with C sure this vulnerability is even relevant?  RHAS 2.1 includes
mutt-1.2.5.1 and they've not issued a patch for this yet.  I've been checking
https://rhn.redhat.com/errata/rh21as-errata.html to see if they do and what the
patch looks like.

BTW, Matt, you should sign the RPMS and the sha1sum.asc file as well.  For the
sha1sums, you would output to sha1sum and then sign that, which will leave you
with the sha1sum.asc file.  HTH.

Thanks for looking at 1.2.5.1, I was sure I'd need help getting that patched up
properly (if it indeed needs patched at all).  I asked yesterday on IRC if
anyone could tell if it needed patched, but no one replied while I was hanging
out during the afternoon.



------- Additional Comments From bugs.michael 2004-02-12 11:18:47 ----

I've explained my point of view in #fedora-legacy, but I don't let my client
hang around in that channel, so I don't know about any discussions after the
short time I've been there:

I'm not familiar with the "mutt" code. To me it looks as if the function that is
patched in 1.4.1i is not vulnerable itself, but is just a central place where
character strings can be modified to not cause a crash elsewhere. The function
takes a buffer and buffer size as argument. So whatever it does in that buffer
(it pads the end of the buffer with space characters up to screen width), can be
made safe. It must be elsewhere, where the buffer content triggers something.
Now, the fix for the 1.4.1i code uses a character string formatting helper
function which handles multibyte characters, too. Hence I presume that the
vulnerability might be related to multibyte character strings which are
processed incorrectly somewhere in mutt and cause it to crash.




------- Additional Comments From matt.phillips.org 2004-02-12 11:23:38 ----

The backport for RedHat 7.3 is going to be quite complicated (at least for me).   
The newer versions of mutt use a helper function which is not in the older  
version.  It's not really possible to just pull that function into the older  
version because it appears to be intertwined with a bunch of other wide-char  
support bits. 
  
Does anybody know of a proof-of-concept for this vulnerability?  Maybe someone  
with a bit more C knowledge would have a better crack at fixing this, or even 
proving if this version is vulnerable... 



------- Additional Comments From bugs.michael 2004-02-12 11:43:30 ----

With word from Red Hat that 1.2.x is not vulnerable, I've had another look at
the code. Actually, I say the original call of mutt_format_string(..) in mutt
1.4.1 in menu_pad_string(..) is the culprit. So, I stick to comment 7, the
padding code in menu_pad_string(..) in 1.2.x is not vulnerable.




------- Additional Comments From notting 2004-02-12 11:46:24 ----

Created an attachment (id=534)
test cases

Here's a couple of test messages. Note that you may need to run this in a
terminal and widen the terminal window to reproduce the crash.



------- Additional Comments From Freedom_Lover 2004-02-12 19:31:40 ----

Any thoughts on the importance of including the very small patch for
authenticating to windows KDCs from the RH9 rpm?  It's so small that it's hard
to see it presenting any additional issues, though I originally excluded it just
to keep from changing anything other than the security issue at hand.  If it's
desirable, I can re-roll the rpms.



------- Additional Comments From jkeating 2004-02-24 20:25:38 ----

Pushed to updates-testing.  8.0 only, non-issue for anything older.



------- Additional Comments From jpdalbec 2004-03-25 10:23:36 ----

Created an attachment (id=602)
Summary file differences from previous version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 8.0

3d2b3c5631252abc13959f87a164bf3f96459997 
mutt_5%3a1.4.1-0.8.x.1.legacy_i386.rpm
(apt-get downloads it with this filename)

* Passes basic functional tests (compose test email, send, read, delete)
* No ldd differences
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAYz7VJL4A+ldA7asRAje3AJ4gIKeAJSBYAg8f+iLiioBXkeQ3fgCghFUn
rUlXBTkuKH7tmBw6K9P9DEE=
=/Qjs
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec 2004-03-25 10:28:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 8.0

3d2b3c5631252abc13959f87a164bf3f96459997  mutt_5%3a1.4.1-0.8.x.1.legacy_i386.rpm
(apt-get downloads it with this filename)

* Passes basic functional tests (compose test email, send, read, delete)
* No ldd differences
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAYz7VJL4A+ldA7asRAje3AJ4gIKeAJSBYAg8f+iLiioBXkeQ3fgCghFUn
rUlXBTkuKH7tmBw6K9P9DEE=
=/Qjs
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1285 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1285
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
test cases
https://bugzilla.fedora.us/attachment.cgi?action=view&id=534
Summary file differences from previous version
https://bugzilla.fedora.us/attachment.cgi?action=view&id=602

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was jonny.strom.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.