Bug 166718

Summary: mutt crash on base64 spam
Product: [Fedora] Fedora Reporter: Dave Jones <davej>
Component: muttAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jakub, pfrields, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.4.2.1-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-26 18:53:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Minimal version of spam message that causes same crash, has no red hat sensitive info in it
none
Here's the upstream patch for the bug (upstream bug 1424) none

Description Dave Jones 2005-08-24 21:19:36 UTC 
declare -x MALLOC_PERTURB_="204"
mutt -f base64spam (attached)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000425480 in mutt_decode_base64 (s=0x7ffffff63320, len=574, istext=1,
cd=0x7b40b0) at handler.c:308
308         c2 = base64val (buf[1]);
(gdb) bt
#0  0x0000000000425480 in mutt_decode_base64 (s=0x7ffffff63320, len=574,
istext=1, cd=0x7b40b0) at handler.c:308
#1  0x0000000000427727 in mutt_decode_attachment (b=0x7b3970, s=0x7ffffff63320)
at handler.c:1728
#2  0x0000000000427a4d in mutt_body_handler (b=0x7b3970, s=0x7ffffff63320) at
handler.c:1897
#3  0x0000000000427fa7 in alternative_handler (a=0x7b3850, s=0x7ffffff63320) at
handler.c:1324
#4  0x0000000000427a76 in mutt_body_handler (b=0x7b3850, s=0x7ffffff63320) at
handler.c:1921
#5  0x0000000000428373 in multipart_handler (a=0x79a680, s=0x7ffffff63320) at
handler.c:1479
#6  0x0000000000427a76 in mutt_body_handler (b=0x79a680, s=0x7ffffff63320) at
handler.c:1921
#7  0x0000000000414640 in _mutt_copy_message (fpout=0x7b3e40, fpin=0x777280,
hdr=0x79a150, body=0x79a680, flags=76, chflags=150) at copy.c:535
#8  0x000000000041497b in mutt_copy_message (fpout=0x7b3e40, src=Variable "src"
is not available.
) at copy.c:603
#9  0x000000000040ef1e in mutt_display_message (cur=0x79a150) at commands.c:142
#10 0x0000000000418087 in mutt_index_menu () at curs_main.c:1070
#11 0x000000000042e9f2 in main (argc=3, argv=0x7ffffff64818) at main.c:842
#12 0x000000331111ccaf in __libc_start_main () from /lib64/libc.so.6
#13 0x000000000040608a in _start ()
#14 0x00007ffffff64808 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)

This is dependant on the MALLOC_PERTURB_ stuff in rawhide, so I don't know if
this affects earlier releases, or is exploitable.

Setting security sensitive just in case.
Comment 1 Dave Jones 2005-08-24 21:20:16 UTC 
Created attachment 118094 [details]
base64 encoded spam
Comment 2 Bill Nottingham 2005-08-25 18:55:26 UTC 
What locale? This works for me on rawhide.
Comment 3 Bill Nottingham 2005-08-25 19:10:45 UTC 
Seems to only happen on x86_64.
Comment 5 Mark J. Cox 2005-08-25 20:29:53 UTC 
Created attachment 118121 [details]
Minimal version of spam message that causes same crash, has no red hat sensitive info in it
Comment 8 Bill Nottingham 2005-08-26 18:53:01 UTC 
Added in 1.4.2.1-3.