mutt/2684: crash on s/mime verification
>Number: 2684
>Notify-List:
>Category: mutt
>Synopsis: crash on s/mime verification
>Confidential: no
>Severity: normal
>Priority: medium
>Responsible: mutt-dev
>State: open
>Keywords:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jan 12 23:17:20 +0100 2007
>Originator: Sertaç Ö. Yıldız
>Release: tried with 1.5.13 and 1.5.13cvs (2007-01-09)
>Organization:
>Environment:
Linux 2.6.19.2
[using ncurses 5.5] [using libidn 0.6.5 (compiled with 0.6.5)]
Compile options:
-DOMAIN
-DEBUG
-HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE
+USE_FCNTL -USE_FLOCK -USE_INODESORT
+USE_POP +USE_NNTP +USE_IMAP -USE_GSS +USE_SSL_OPENSSL -USE_SSL_GNUTLS
+USE_SASL +HAVE_GETADDRINFO
+HAVE_REGCOMP -USE_GNU_REGEX +COMPRESSED
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME
+BUFFY_SIZE -EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET
+HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID -USE_HCACHE
ISPELL="/usr/bin/ispell"
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/local/share/mutt"
SYSCONFDIR="/usr/local/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
>Description:
I tried to verify an S/MIME signed test mail with GPG encrypted body. But I
noticed two problems:
1) mutt asks for my s/mime password, but it shouldn't need it for verification.
2) After decrypting the body it crashes.
Program received signal SIGSEGV, Segmentation fault.
safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at lib.c:214
214 if (!s || !*s)
(gdb) bt
#0 safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at lib.c:214
#1 0x080a9ee7 in mutt_write_mime_header (a=0x99fbe60, f=0x99fbe60) at
sendlib.c:324
#2 0x080612d5 in _mutt_copy_message (fpout=0x99fbe60, fpin=0x99d2018,
hdr=0x99d2b48, body=0x99d3020, flags=1024, chflags=770) at copy.c:687
#3 0x08061a6a in mutt_copy_message (fpout=0x99fbe60, src=0x99422c0,
hdr=0x99d2b48, flags=1024, chflags=770) at copy.c:742
#4 0x080c692b in smime_verify_sender (h=0x99d2b48) at smime.c:1174
#5 0x0805b685 in mutt_display_message (cur=0x99d2b48) at commands.c:185
#6 0x080663d8 in mutt_index_menu () at curs_main.c:1366
#7 0x08080b55 in main (argc=4, argv=0xbfaf6184) at main.c:1023
cur is not initialised here:
687 mutt_write_mime_header (cur, fpout);
so after sendlib.c:308 :
(gdb) x cur->subtype
0xb7fa2000: "Content-Type: message/Content-Type: message/Content-Type:
message/Content-Type: message/Content-Type: message/Content-Type:
message/Content-Type: message/Content-Type: message/Content-Type: message/Co"...
>How-To-Repeat:
>Fix:
This patch prevents the crash, but I'm not sure if it is correct or not.
--- mutt-1.5.13/copy.c.old 2007-01-05 00:01:38.000000000 +0200
+++ mutt-1.5.13/copy.c 2007-01-05 00:01:48.000000000 +0200
@@ -677,7 +677,7 @@ _mutt_copy_message (FILE *fpout, FILE *f
if ((WithCrypto & APPLICATION_SMIME)
&& (flags & M_CM_DECODE_SMIME) && (hdr->security & APPLICATION_SMIME)
- && hdr->content->type == TYPEAPPLICATION)
+ && hdr->content->type == TYPEMULTIPART)
{
if (crypt_smime_decrypt_mime (fpin, &fp, hdr->content, &cur))
return (-1);
>Add-To-Audit-Trail:
>Unformatted: