This was posted in response to that...
----- Forwarded message from "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>
-----
From: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Date: Thu, 18 Aug 2005 12:39:45 +0159
Subject: Re: [Full-disclosure] mutt buffer overflow
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Mail-Followup-To: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>,
bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
X-Operating-System: OpenBSD - http://www.openbsd.org/
User-Agent: Mutt/1.5.9i
X-Hashcash: 1:20:050818:bugtraq@xxxxxxxxxxxxxxxxx::rDkN76GAeHqwZaOA:000000000000
0000000000000000000000004wP8
X-Hashcash: 1:20:050818:full-disclosure@xxxxxxxxxxxxxxxxx::9VEnT1+0pZh3QM+Z:0000
0000000000000000000000000PkP
Peter,
On Thu, Aug 18, 2005 at 02:57:33AM -0600, Peter Valchev wrote:
>The problem is in the mutt attachment/encoding/decoding functions,
>specifically handler.c:mutt_decode_xbit() and the buffer
>bufi[BUFI_SIZE].
Can you reproduce this if you recompile libiconv/gettext/mutt?
I reported that bug on Jul 12, but in fact it only happened with
libiconv/gettext compiled against an OpenBSD libc before the mb*() changes,
but then running libc 38.2.
An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox
But the mutt's code doesn't actually look wrong.
Best regards,
-Frank.
----- End forwarded message -----
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Attachment:
pgpe9eVW09Qn7.pgp
Description: PGP signature