<<< Date Index >>>     <<< Thread Index >>>

Re: How to report Mutt security issues?



Derek Martin <invalid@xxxxxxxxxxxxxx> wrote:
> On Wed, Jul 13, 2005 at 12:28:27AM +0200, Frank Denis (Jedi/Sector One) wrote:
> >   
> >   I'd like to report a remotely exploitable security issue in Mutt.
> >   
> >   What is the right way to do so?
> 
> Was there an answer to this?

Not that I saw.

> While I have doubts that "remotely exploitable" is being used fairly here,

I'm not sure what you meant by this.  It's entirely possible that a bug in
mutt code (buffer overflow, etc) would allow an attacker to craft a message to
exploit that bug and run a payload as you when you view that message.  If that
payload is `sh -c 'rm -rf $HOME'` or equivalent, I think you'd call that a
"remotely exploitable" security problem.

Whether such bugs exist is the only question, and the OP may have found
something.  I await an announcement.

Charles
-- 
-----------------------------------------------------------------------
Charles Cazabon                          <muttdev@xxxxxxxxxxxxxxxxxxxx>
-----------------------------------------------------------------------