<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #3397: minor buffer overflow in mutt_match_spam_list



#3397: minor buffer overflow in mutt_match_spam_list
----------------------+-----------------------------------------------------
 Reporter:  matthijs  |       Owner:  mutt-dev
     Type:  defect    |      Status:  new     
 Priority:  minor     |   Milestone:          
Component:  mutt      |     Version:  1.5.20  
 Keywords:            |  
----------------------+-----------------------------------------------------
 While looking around the code for #3396, I found a minor buffer overflow
 in {{{mutt_match_spam_list}}}. It finds the first matching "spam" pattern,
 and then puts the corresponding template into the {{{text}}} buffer it
 gets passed. When expanding pattern matches in the template (e.g., %1)
 there is proper bounds checking. However, while copying the template text
 itself, no bounds are checked.

 Note that this bug can partly be exploited through specially crafted
 messages. It's not possible for an attacker to overflow arbitrary strings,
 but if there is any literal text in a template _after_ the first pattern
 match replacement, an attacker could trigger an overflow that writes that
 text outside of the buffer.

 For example, when I have the following spam line:

 {{{
 spam "^X-Spam-Score: (.*)" "%1 <-- Look, this is spam!"
 }}}

 An attacker could create an email that contains a X-Spam-Score header
 containing a long (>1024 characters) value. This would cause the buffer to
 fill up using the first 1024 characters from that header, and the text
 {{{" <-- Look, this is spam!"}}} will be written outside of the buffer.
 This works even if a second X-Spam-Score header is written to the message,
 since all headers are checked, not just the last one.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3397>
Mutt <http://www.mutt.org/>
The Mutt mail user agent