Re: How to report Mutt security issues?

To: Mutt Developers <mutt-dev@xxxxxxxx>
Subject: Re: How to report Mutt security issues?
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Jul 2005 09:07:10 +0200
In-reply-to: <20050714164855.GA21843@xxxxxxxxxxxxxxxxxxxx>
Mail-followup-to: Mutt Developers <mutt-dev@xxxxxxxx>
References: <20050712222849.GB21563@xxxxxxx> <20050714162622.GB22752@xxxxxxxxxx> <20050714164855.GA21843@xxxxxxxxxxxxxxxxxxxx>
Sender: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.9i

On 2005-07-14 10:48:55 -0600, Charles Cazabon wrote:

> > >   I'd like to report a remotely exploitable security issue in Mutt.

> > >   What is the right way to do so?

> > Was there an answer to this?

> Not that I saw.

There was an answer in private mail, to which I have not yet
received a reply.

>> While I have doubts that "remotely exploitable" is being used
>> fairly here,

> I'm not sure what you meant by this.  It's entirely possible that
> a bug in mutt code (buffer overflow, etc) would allow an attacker
> to craft a message to exploit that bug and run a payload as you
> when you view that message.  If that payload is `sh -c 'rm -rf
> $HOME'` or equivalent, I think you'd call that a "remotely
> exploitable" security problem.

Yup.

-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.

References:
- How to report Mutt security issues?
  - From: Frank Denis (Jedi/Sector One)
- Re: How to report Mutt security issues?
  - From: Derek Martin
- Re: How to report Mutt security issues?
  - From: Charles Cazabon

Prev by Date: Re: mutt development and road map
Next by Date: Re: mutt development and road map
Previous by thread: Re: How to report Mutt security issues?
Next by thread: Re: How to report Mutt security issues?
Index(es):
- Date
- Thread