Bug 166718 - mutt crash on base64 spam
mutt crash on base64 spam
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: mutt (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-24 17:19 EDT by Dave Jones
Modified: 2015-01-04 17:21 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.4.2.1-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-26 14:53:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Minimal version of spam message that causes same crash, has no red hat sensitive info in it (305 bytes, text/plain)
2005-08-25 16:29 EDT, Mark J. Cox (Product Security)
no flags Details
Here's the upstream patch for the bug (upstream bug 1424) (3.15 KB, patch)
2005-08-25 16:32 EDT, Bill Nottingham
no flags Details | Diff

  None (edit)
Description Dave Jones 2005-08-24 17:19:36 EDT
declare -x MALLOC_PERTURB_="204"
mutt -f base64spam (attached)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000425480 in mutt_decode_base64 (s=0x7ffffff63320, len=574, istext=1,
cd=0x7b40b0) at handler.c:308
308         c2 = base64val (buf[1]);
(gdb) bt
#0  0x0000000000425480 in mutt_decode_base64 (s=0x7ffffff63320, len=574,
istext=1, cd=0x7b40b0) at handler.c:308
#1  0x0000000000427727 in mutt_decode_attachment (b=0x7b3970, s=0x7ffffff63320)
at handler.c:1728
#2  0x0000000000427a4d in mutt_body_handler (b=0x7b3970, s=0x7ffffff63320) at
handler.c:1897
#3  0x0000000000427fa7 in alternative_handler (a=0x7b3850, s=0x7ffffff63320) at
handler.c:1324
#4  0x0000000000427a76 in mutt_body_handler (b=0x7b3850, s=0x7ffffff63320) at
handler.c:1921
#5  0x0000000000428373 in multipart_handler (a=0x79a680, s=0x7ffffff63320) at
handler.c:1479
#6  0x0000000000427a76 in mutt_body_handler (b=0x79a680, s=0x7ffffff63320) at
handler.c:1921
#7  0x0000000000414640 in _mutt_copy_message (fpout=0x7b3e40, fpin=0x777280,
hdr=0x79a150, body=0x79a680, flags=76, chflags=150) at copy.c:535
#8  0x000000000041497b in mutt_copy_message (fpout=0x7b3e40, src=Variable "src"
is not available.
) at copy.c:603
#9  0x000000000040ef1e in mutt_display_message (cur=0x79a150) at commands.c:142
#10 0x0000000000418087 in mutt_index_menu () at curs_main.c:1070
#11 0x000000000042e9f2 in main (argc=3, argv=0x7ffffff64818) at main.c:842
#12 0x000000331111ccaf in __libc_start_main () from /lib64/libc.so.6
#13 0x000000000040608a in _start ()
#14 0x00007ffffff64808 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)

This is dependant on the MALLOC_PERTURB_ stuff in rawhide, so I don't know if
this affects earlier releases, or is exploitable.

Setting security sensitive just in case.
Comment 1 Dave Jones 2005-08-24 17:20:16 EDT
Created attachment 118094 [details]
base64 encoded spam
Comment 2 Bill Nottingham 2005-08-25 14:55:26 EDT
What locale? This works for me on rawhide.
Comment 3 Bill Nottingham 2005-08-25 15:10:45 EDT
Seems to only happen on x86_64.
Comment 5 Mark J. Cox (Product Security) 2005-08-25 16:29:53 EDT
Created attachment 118121 [details]
Minimal version of spam message that causes same crash, has no red hat sensitive info in it
Comment 8 Bill Nottingham 2005-08-26 14:53:01 EDT
Added in 1.4.2.1-3.

Note You need to log in before you can comment on or make changes to this bug.