[Mutt] #3397: minor buffer overflow in mutt_match_spam_list
#3397: minor buffer overflow in mutt_match_spam_list
----------------------+-----------------------------------------------------
Reporter: matthijs | Owner: mutt-dev
Type: defect | Status: new
Priority: minor | Milestone:
Component: mutt | Version: 1.5.20
Keywords: |
----------------------+-----------------------------------------------------
While looking around the code for #3396, I found a minor buffer overflow
in {{{mutt_match_spam_list}}}. It finds the first matching "spam" pattern,
and then puts the corresponding template into the {{{text}}} buffer it
gets passed. When expanding pattern matches in the template (e.g., %1)
there is proper bounds checking. However, while copying the template text
itself, no bounds are checked.
Note that this bug can partly be exploited through specially crafted
messages. It's not possible for an attacker to overflow arbitrary strings,
but if there is any literal text in a template _after_ the first pattern
match replacement, an attacker could trigger an overflow that writes that
text outside of the buffer.
For example, when I have the following spam line:
{{{
spam "^X-Spam-Score: (.*)" "%1 <-- Look, this is spam!"
}}}
An attacker could create an email that contains a X-Spam-Score header
containing a long (>1024 characters) value. This would cause the buffer to
fill up using the first 1024 characters from that header, and the text
{{{" <-- Look, this is spam!"}}} will be written outside of the buffer.
This works even if a second X-Spam-Score header is written to the message,
since all headers are checked, not just the last one.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3397>
Mutt <http://www.mutt.org/>
The Mutt mail user agent