Various potential buffer overflows and format string bugs

To: mutt-dev@xxxxxxxx
Subject: Various potential buffer overflows and format string bugs
From: Ulf Härnhammar <Ulf.Harnhammar.9485@xxxxxxxxxxxxx>
Date: Sat, 30 Oct 2004 02:26:31 +0200
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?body=unsubscribe>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Internet Messaging Program (IMP) 3.2.6

Hello,

I have found a bunch of potential buffer overflows and format string bugs in
mutt.

There is one snprintf() call that uses data from a file as the format string
instead of using it as a parameter. There is one sscanf() call with a format
string containing "%s". There are also a whole bunch of strncat() calls with
the wrong third parameter (it should be the number of characters left in the
string, not the whole size of the string).

All problems were found in the latest CVS, although some of them exist in the
stable version 1.4.2.1 as well. I don't _think_ any of these problems pose any
big security threat, but it is good to fix these things anyway to avoid
crashes. I have attached a patch against the latest CVS version.

// Ulf Harnhammar
   http://www.advogato.org/person/metaur/

Attachment: mutt.bufform.patch
Description: Binary data

Follow-Ups:
- Re: Various potential buffer overflows and format string bugs
  - From: Thomas Roessler
- Re: Various potential buffer overflows and format string bugs
  - From: Thomas Roessler

Prev by Date: Re: bug#1931: mutt-1.5.6i: Mutt often freezes when new messages are received in the current maildir folder
Next by Date: Re: Various potential buffer overflows and format string bugs
Previous by thread: bug#1932: mutt-1.5.6i: Clash between Reply-To and alternates when replying
Next by thread: Re: Various potential buffer overflows and format string bugs
Index(es):
- Date
- Thread