Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4875

Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12

CVE
#git

From 4cc3128abdf52c615911589394a03271fddeefc6 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Mon, 4 Sep 2023 12:50:07 +0800 Subject: [PATCH] Check for NULL userhdrs. When composing an email, miscellaneous extra headers are stored in a userhdrs list. Mutt first checks to ensure each header contains at least a colon character, passes the entire userhdr field (name, colon, and body) to the rfc2047 decoder, and safe_strdup()'s the result on the userhdrs list. An empty result would from the decode would result in a NULL headers being added to list. The previous commit removed the possibility of the decoded header field being empty, but it’s prudent to add a check to the strchr calls, in case there is another unexpected bug resulting in one. Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr crashes, giving a working example draft message, and providing the stack traces for the two NULL derefences. — sendlib.c | 4 +±- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sendlib.c b/sendlib.c index c2283972…763bff41 100644 — a/sendlib.c +++ b/sendlib.c @@ -2418,7 +2418,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date, /* Add any user defined headers */ for (; tmp; tmp = tmp->next) { - if ((p = strchr (tmp->data, ‘:’))) + if ((p = strchr (NONULL (tmp->data), ‘:’))) { q = p; @@ -2466,7 +2466,7 @@ static void encode_headers (LIST *h) for (; h; h = h->next) { - if (!(p = strchr (h->data, ‘:’))) + if (!(p = strchr (NONULL (h->data), ‘:’))) continue; i = p - h->data; – GitLab

Related news

Ubuntu Security Notice USN-6374-2

Ubuntu Security Notice 6374-2 - USN-6374-1 fixed vulnerabilities in Mutt. This update provides the corresponding updates for Ubuntu 23.10. It was discovered that Mutt incorrectly handled certain email header contents. If a user were tricked into opening a specially crafted message, a remote attacker could possibly use this issue to cause a denial of service.

Ubuntu Security Notice USN-6374-1

Ubuntu Security Notice 6374-1 - It was discovered that Mutt incorrectly handled certain email header content. If a user were tricked into opening a specially crafted message, a remote attacker could possibly use this issue to cause a denial of service.

Debian Security Advisory 5494-1

Debian Linux Security Advisory 5494-1 - Several NULL pointer dereference flaws were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which may result in denial of service (application crash) when viewing a specially crafted email or when composing from a specially crafted draft message.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907