This was posted in response to that... ----- Forwarded message from "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx> ----- From: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx> To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx Date: Thu, 18 Aug 2005 12:39:45 +0159 Subject: Re: [Full-disclosure] mutt buffer overflow Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm Mail-Followup-To: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx X-Operating-System: OpenBSD - http://www.openbsd.org/ User-Agent: Mutt/1.5.9i X-Hashcash: 1:20:050818:bugtraq@xxxxxxxxxxxxxxxxx::rDkN76GAeHqwZaOA:000000000000 0000000000000000000000004wP8 X-Hashcash: 1:20:050818:full-disclosure@xxxxxxxxxxxxxxxxx::9VEnT1+0pZh3QM+Z:0000 0000000000000000000000000PkP Peter, On Thu, Aug 18, 2005 at 02:57:33AM -0600, Peter Valchev wrote: >The problem is in the mutt attachment/encoding/decoding functions, >specifically handler.c:mutt_decode_xbit() and the buffer >bufi[BUFI_SIZE]. Can you reproduce this if you recompile libiconv/gettext/mutt? I reported that bug on Jul 12, but in fact it only happened with libiconv/gettext compiled against an OpenBSD libc before the mb*() changes, but then running libc 38.2. An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox But the mutt's code doesn't actually look wrong. Best regards, -Frank. ----- End forwarded message ----- -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Attachment:
pgpe9eVW09Qn7.pgp
Description: PGP signature