<<< Date Index >>>     <<< Thread Index >>>

Re: Fwd: [Full-disclosure] mutt buffer overflow



> From: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>
> Mail-Followup-To: "Frank Denis (Jedi/Sector One)" <j@xxxxxxxxxxxx>,
>       bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx

I'm not posting there. If somebody thinks that it's needed,
please feel free to forward.

> On Thu, Aug 18, 2005 at 02:57:33AM -0600, Peter Valchev wrote:
> >The problem is in the mutt attachment/encoding/decoding functions,
> >specifically handler.c:mutt_decode_xbit() and the buffer
> >bufi[BUFI_SIZE].
> 
>  Can you reproduce this if you recompile libiconv/gettext/mutt?
>  
>  I reported that bug on Jul 12, but in fact it only happened with
> libiconv/gettext compiled against an OpenBSD libc before the mb*() changes,
> but then running libc 38.2.
> 
>  An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox
>  
>  But the mutt's code doesn't actually look wrong.

The patch proposed by Peter Valchev breaks charset conversion,
in particular from windows-1251 to koi8-r (both Cyrillic).
The buffer overflow seems to not happen in my case (I'm not sure).
Details:

I'm using mail/mutt port (mutt-1.4.2.1_2) under FreeBSD 5.4-RELEASE-p3,
local charset koi8-r. I'm a relative newbie in Unix, so please check me.
I did "make clean deinstall extract", then wrote and applied the
debugging patch below, then did "make install", then used Mutt for
viewing my regular mail and two test mailboxes mentioned in this thread
ftp://ftp.00f.net/misc/mutt-crash-poc.mbox
http://sightly.net/peter/tmp/mutt-bug
My patch prints (to a file) value of the variable *l if it's >= BUFI_SIZE at
the place where Peter Valchev's patch checks *l, but my patch doesn't change *l.
In fact my patch prints only 1000 - once per each of test mailboxes,
multiple (6) times while once viewing a text/html attachment
(6KB long, charset=windows-1251) of a regular spam to me,
53 times while once viewing a 51K long text/plain 7bit digest from yahooGroups.
Most letters don't trigger the printing.

--- handler.c.diff begins here ---
*** handler.c.orig      Tue Mar 26 11:49:51 2002
--- handler.c   Sat Aug 20 23:31:58 2005
***************
*** 22,27 ****
--- 22,28 ----
  #include <ctype.h>
  #include <sys/wait.h>
  #include <sys/stat.h>
+ #include <stdio.h>
  
  #include "mutt.h"
  #include "mutt_curses.h"
***************
*** 82,87 ****
--- 83,90 ----
    ICONV_CONST char *ib;
    char *ob;
    size_t ibl, obl;
+   static FILE *debg = NULL;
+   long debgl;
  
    if (!bufi)
    {
***************
*** 95,100 ****
--- 98,112 ----
      return;
    }
  
+   if (debg == NULL)
+     debg = fopen( "/usr/home/lena/mutt-debug", "a" );
+   if (debg != NULL && *l >= BUFI_SIZE)
+   {
+     fseek( debg, 0, SEEK_END);   /* perhaps unnecessary but doesn't hurt */
+     debgl = *l;
+     fprintf( debg, "%ld\n", debgl );
+     fflush( debg );
+   }
    if (cd == (iconv_t)(-1))
    {
      state_prefix_put (bufi, *l, s);
--- handler.c.diff ends here ---