<<< Date Index >>>     <<< Thread Index >>>

Re: Fwd: [Full-disclosure] mutt buffer overflow



This was posted in response to that...

----- Forwarded message from "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx> 
-----

From: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Date: Thu, 18 Aug 2005 12:39:45 +0159
Subject: Re: [Full-disclosure] mutt buffer overflow
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Mail-Followup-To: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>,
        bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
X-Operating-System: OpenBSD - http://www.openbsd.org/
User-Agent: Mutt/1.5.9i
X-Hashcash: 1:20:050818:bugtraq@xxxxxxxxxxxxxxxxx::rDkN76GAeHqwZaOA:000000000000
        0000000000000000000000004wP8
X-Hashcash: 1:20:050818:full-disclosure@xxxxxxxxxxxxxxxxx::9VEnT1+0pZh3QM+Z:0000
        0000000000000000000000000PkP

 Peter,

On Thu, Aug 18, 2005 at 02:57:33AM -0600, Peter Valchev wrote:
>The problem is in the mutt attachment/encoding/decoding functions,
>specifically handler.c:mutt_decode_xbit() and the buffer
>bufi[BUFI_SIZE].

 Can you reproduce this if you recompile libiconv/gettext/mutt?
 
 I reported that bug on Jul 12, but in fact it only happened with
libiconv/gettext compiled against an OpenBSD libc before the mb*() changes,
but then running libc 38.2.

 An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox
 
 But the mutt's code doesn't actually look wrong.

 Best regards,
 
    -Frank.

----- End forwarded message -----

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpe9eVW09Qn7.pgp
Description: PGP signature