mutt/2710: off-by-one error in mutt_dotlock.c

To: Mutt Developers <mutt-dev@xxxxxxxx>
Subject: mutt/2710: off-by-one error in mutt_dotlock.c
From: cb@xxxxxxxx
Date: Fri, 26 Jan 2007 11:43:31 +0100
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
Mail-followup-to: bug-any@xxxxxxxxxxxxx
References: <mutt-pr-2710@xxxxxxxxxxxxx>
Reply-to: bug-any@xxxxxxxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx

>Number:         2710
>Notify-List:    
>Category:       mutt
>Synopsis:       off-by-one error in mutt_dotlock.c
>Confidential:   no
>Severity:       normal
>Priority:       medium
>Responsible:    mutt-dev
>State:          open
>Keywords:       
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 26 11:43:31 +0100 2007
>Originator:     cb@xxxxxxxx (Christoph Berg)
>Release:        
>Organization:
>Environment:
>Description:
Date: Fri, 10 Nov 2006 00:34:48 +0000
From: Jochen Voss <voss@xxxxxxxxxx>
Reply-To: Jochen Voss <voss@xxxxxxxxxx>, 397858@xxxxxxxxxxxxxxx
To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
Subject: Bug#397858: /usr/bin/mutt_dotlock: off-by-one error in
        mutt_dotlock.c
X-Debian-PR-Message: report 397858
X-Debian-PR-Package: mutt
X-Debian-PR-Keywords:
X-Debian-PR-Source: mutt

Package: mutt
Version: 1.5.13-1
Severity: normal
File: /usr/bin/mutt_dotlock

Hello,

recently I came across the following bit of code in the source file
mutt-1.5.13/mutt_dotlock.c (function dotlock_deference_symlink, around
line 557):

      if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1)
      {
        /* perror (pathptr); */
        return -1;
      }

      linkfile[len] = '\0';

In the case when the link target is longer than 'sizeof (linkfile)'
(256 characters), the readlink call returns 'sizeof (linkfile)' and
the following assignment writes a zero-byte into the byte just after
the buffer 'linkfile'.  This is a buffer overflow.

The bug does not look exploitable to me, but probably it should be
fixed anyway.

I hope this helps,
Jochen

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18.1
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)

Versions of packages mutt depends on:
ii  exim4                   4.63-10          metapackage to ease exim MTA (v4)
ii  exim4-daemon-light [mai 4.63-10          lightweight exim MTA (v4) daemon
ii  libc6                   2.3.6.ds1-8      GNU C Library: Shared libraries
ii  libdb4.4                4.4.20-8         Berkeley v4.4 Database Libraries [
ii  libgnutls13             1.4.4-2          the GNU TLS library - runtime libr
ii  libidn11                0.6.5-1          GNU libidn library, implementation
ii  libncursesw5            5.5-5            Shared libraries for terminal hand
ii  libsasl2                2.1.19.dfsg1-0.5 Authentication abstraction library

Versions of packages mutt recommends:
ii  locales                      2.3.6.ds1-8 GNU C Library: National Language (
ii  mime-support                 3.37-1      MIME files 'mime.types' & 'mailcap

-- no debconf information
>How-To-Repeat:
>Fix:
Unknown
>Add-To-Audit-Trail:

>Unformatted:

Prev by Date: Bug#404973: Info received (mutt/2709: exits with status 0 when disk is full)
Next by Date: Re: mutt/2710: off-by-one error in mutt_dotlock.c
Previous by thread: Bug#404973: Info received (mutt/2709: exits with status 0 when disk is full)
Next by thread: Re: mutt/2710: off-by-one error in mutt_dotlock.c
Index(es):
- Date
- Thread