<<< Date Index >>>     <<< Thread Index >>>

Re: How to report Mutt security issues?



On 2005-07-14 10:48:55 -0600, Charles Cazabon wrote:

> > >   I'd like to report a remotely exploitable security issue in Mutt.

> > >   What is the right way to do so?

> > Was there an answer to this?

> Not that I saw.

There was an answer in private mail, to which I have not yet
received a reply.

>> While I have doubts that "remotely exploitable" is being used
>> fairly here,

> I'm not sure what you meant by this.  It's entirely possible that
> a bug in mutt code (buffer overflow, etc) would allow an attacker
> to craft a message to exploit that bug and run a payload as you
> when you view that message.  If that payload is `sh -c 'rm -rf
> $HOME'` or equivalent, I think you'd call that a "remotely
> exploitable" security problem.

Yup.

-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.