Headline
CVE-2023-4874
Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12
From a4752eb0ae0a521eec02e59e51ae5daedf74fda0 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Sun, 3 Sep 2023 14:11:48 +0800 Subject: [PATCH] Fix write_one_header() illegal header check. This is another crash caused by the rfc2047 decoding bug fixed in the second prior commit. In this case, an empty header line followed by a header line starting with ":", would result in t==end. The mutt_substrdup() further below would go very badly at that point, with t >= end+1. This could result in either a memcpy onto NULL or a huge malloc call. Thanks to Chenyuan Mi (@morningbread) for giving a working example draft message of the rfc2047 decoding flaw. This allowed me, with further testing, to discover this additional crash bug. — sendlib.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sendlib.c b/sendlib.c index 763bff41…204b1308 100644 — a/sendlib.c +++ b/sendlib.c @@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen, else { t = strchr (start, ‘:’); - if (!t || t > end) + if (!t || t >= end) { dprint (1, (debugfile, "mwoh: warning: header not in " “’key: value’ format!\n”)); – GitLab
Related news
Ubuntu Security Notice 6374-2 - USN-6374-1 fixed vulnerabilities in Mutt. This update provides the corresponding updates for Ubuntu 23.10. It was discovered that Mutt incorrectly handled certain email header contents. If a user were tricked into opening a specially crafted message, a remote attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6374-1 - It was discovered that Mutt incorrectly handled certain email header content. If a user were tricked into opening a specially crafted message, a remote attacker could possibly use this issue to cause a denial of service.
Debian Linux Security Advisory 5494-1 - Several NULL pointer dereference flaws were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which may result in denial of service (application crash) when viewing a specially crafted email or when composing from a specially crafted draft message.