Re: [Full-disclosure] mutt buffer overflow

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] mutt buffer overflow
From: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>
Date: Thu, 18 Aug 2005 12:39:45 +0159
In-reply-to: <20050818085732.GA11016@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050818085732.GA11016@xxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.9i

 Peter,

On Thu, Aug 18, 2005 at 02:57:33AM -0600, Peter Valchev wrote:

The problem is in the mutt attachment/encoding/decoding functions,
specifically handler.c:mutt_decode_xbit() and the buffer
bufi[BUFI_SIZE].


 Can you reproduce this if you recompile libiconv/gettext/mutt?

I reported that bug on Jul 12, but in fact it only happened with

libiconv/gettext compiled against an OpenBSD libc before the mb*() changes,
but then running libc 38.2.

 An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox

But the mutt's code doesn't actually look wrong.


 Best regards,

-Frank.

References:
- mutt buffer overflow
  - From: Peter Valchev

Prev by Date: Re: [SECURITY] [DSA 777-1] New Mozilla packages fix frame injection spoofing vulnerability
Next by Date: BBCaffe 2.0 cross site scripting poc
Previous by thread: mutt buffer overflow
Next by thread: Zorum 3.5 remote code execution poc exploit
Index(es):
- Date
- Thread