Bug 166718 - mutt crash on base64 spam
Summary: mutt crash on base64 spam
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mutt
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-24 21:19 UTC by Dave Jones
Modified: 2015-01-04 22:21 UTC (History)
3 users (show)

Fixed In Version: 1.4.2.1-3
Clone Of:
Environment:
Last Closed: 2005-08-26 18:53:01 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Minimal version of spam message that causes same crash, has no red hat sensitive info in it (305 bytes, text/plain)
2005-08-25 20:29 UTC, Mark J. Cox 		no flags Details
Here's the upstream patch for the bug (upstream bug 1424) (3.15 KB, patch)
2005-08-25 20:32 UTC, Bill Nottingham 		no flags Details | Diff
View All

Description Dave Jones 2005-08-24 21:19:36 UTC 
declare -x MALLOC_PERTURB_="204"
mutt -f base64spam (attached)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000425480 in mutt_decode_base64 (s=0x7ffffff63320, len=574, istext=1,
cd=0x7b40b0) at handler.c:308
308         c2 = base64val (buf[1]);
(gdb) bt
#0  0x0000000000425480 in mutt_decode_base64 (s=0x7ffffff63320, len=574,
istext=1, cd=0x7b40b0) at handler.c:308
#1  0x0000000000427727 in mutt_decode_attachment (b=0x7b3970, s=0x7ffffff63320)
at handler.c:1728
#2  0x0000000000427a4d in mutt_body_handler (b=0x7b3970, s=0x7ffffff63320) at
handler.c:1897
#3  0x0000000000427fa7 in alternative_handler (a=0x7b3850, s=0x7ffffff63320) at
handler.c:1324
#4  0x0000000000427a76 in mutt_body_handler (b=0x7b3850, s=0x7ffffff63320) at
handler.c:1921
#5  0x0000000000428373 in multipart_handler (a=0x79a680, s=0x7ffffff63320) at
handler.c:1479
#6  0x0000000000427a76 in mutt_body_handler (b=0x79a680, s=0x7ffffff63320) at
handler.c:1921
#7  0x0000000000414640 in _mutt_copy_message (fpout=0x7b3e40, fpin=0x777280,
hdr=0x79a150, body=0x79a680, flags=76, chflags=150) at copy.c:535
#8  0x000000000041497b in mutt_copy_message (fpout=0x7b3e40, src=Variable "src"
is not available.
) at copy.c:603
#9  0x000000000040ef1e in mutt_display_message (cur=0x79a150) at commands.c:142
#10 0x0000000000418087 in mutt_index_menu () at curs_main.c:1070
#11 0x000000000042e9f2 in main (argc=3, argv=0x7ffffff64818) at main.c:842
#12 0x000000331111ccaf in __libc_start_main () from /lib64/libc.so.6
#13 0x000000000040608a in _start ()
#14 0x00007ffffff64808 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)

This is dependant on the MALLOC_PERTURB_ stuff in rawhide, so I don't know if
this affects earlier releases, or is exploitable.

Setting security sensitive just in case.
Comment 1 Dave Jones 2005-08-24 21:20:16 UTC 
Created attachment 118094 [details]
base64 encoded spam
Comment 2 Bill Nottingham 2005-08-25 18:55:26 UTC 
What locale? This works for me on rawhide.
Comment 3 Bill Nottingham 2005-08-25 19:10:45 UTC 
Seems to only happen on x86_64.
Comment 5 Mark J. Cox 2005-08-25 20:29:53 UTC 
Created attachment 118121 [details]
Minimal version of spam message that causes same crash, has no red hat sensitive info in it
Comment 8 Bill Nottingham 2005-08-26 18:53:01 UTC 
Added in 1.4.2.1-3.
Note You need to log in before you can comment on or make changes to this bug.