mutt/2710: off-by-one error in mutt_dotlock.c
>Number: 2710
>Notify-List:
>Category: mutt
>Synopsis: off-by-one error in mutt_dotlock.c
>Confidential: no
>Severity: normal
>Priority: medium
>Responsible: mutt-dev
>State: open
>Keywords:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jan 26 11:43:31 +0100 2007
>Originator: cb@xxxxxxxx (Christoph Berg)
>Release:
>Organization:
>Environment:
>Description:
Date: Fri, 10 Nov 2006 00:34:48 +0000
From: Jochen Voss <voss@xxxxxxxxxx>
Reply-To: Jochen Voss <voss@xxxxxxxxxx>, 397858@xxxxxxxxxxxxxxx
To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
Subject: Bug#397858: /usr/bin/mutt_dotlock: off-by-one error in
mutt_dotlock.c
X-Debian-PR-Message: report 397858
X-Debian-PR-Package: mutt
X-Debian-PR-Keywords:
X-Debian-PR-Source: mutt
Package: mutt
Version: 1.5.13-1
Severity: normal
File: /usr/bin/mutt_dotlock
Hello,
recently I came across the following bit of code in the source file
mutt-1.5.13/mutt_dotlock.c (function dotlock_deference_symlink, around
line 557):
if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1)
{
/* perror (pathptr); */
return -1;
}
linkfile[len] = '\0';
In the case when the link target is longer than 'sizeof (linkfile)'
(256 characters), the readlink call returns 'sizeof (linkfile)' and
the following assignment writes a zero-byte into the byte just after
the buffer 'linkfile'. This is a buffer overflow.
The bug does not look exploitable to me, but probably it should be
fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18.1
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Versions of packages mutt depends on:
ii exim4 4.63-10 metapackage to ease exim MTA (v4)
ii exim4-daemon-light [mai 4.63-10 lightweight exim MTA (v4) daemon
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libdb4.4 4.4.20-8 Berkeley v4.4 Database Libraries [
ii libgnutls13 1.4.4-2 the GNU TLS library - runtime libr
ii libidn11 0.6.5-1 GNU libidn library, implementation
ii libncursesw5 5.5-5 Shared libraries for terminal hand
ii libsasl2 2.1.19.dfsg1-0.5 Authentication abstraction library
Versions of packages mutt recommends:
ii locales 2.3.6.ds1-8 GNU C Library: National Language (
ii mime-support 3.37-1 MIME files 'mime.types' & 'mailcap
-- no debconf information
>How-To-Repeat:
>Fix:
Unknown
>Add-To-Audit-Trail:
>Unformatted: