Bugtraq mailing list archives
mutt x.x
From: paul () BOEHM ORG (Paul Boehm)
Date: Tue, 28 Jul 1998 20:17:57 +0200
Hi, all (newer??) versions of mutt have got an overflowable buffer in parse.c. When sending an specially formated Content-Type in the header you can, when putting special purpose shellcode that doesn't contain any / ; \n and spaces execute arbitary code on the mutt running user's system. The overflows occurs when opening the mailbox containing the malicious email. So, you don't even have to view that "evil" email for this to work. Michael Elkins(mutt author) has already been notified. My personal(non official) patch is included, expect an official patch(new version?) from him soon. Use this patch against mutt 0.93(i): --snip-- --- parse.c.old Tue Jul 28 18:25:50 1998 +++ parse.c Tue Jul 28 18:25:56 1998 @@ -268,7 +268,7 @@ if ((pc = strchr(s, '/'))) { *pc++ = 0; - while (*pc && !ISSPACE (*pc) && *pc != ';') + while (*pc && !ISSPACE (*pc) && *pc != ';' && i < (SHORT_STRING - 1)) { buffer[i++] = *pc; pc++; --snip-- bye, paul -- [ Paul S. Boehm | paul () boehm priv at | http://paul.boehm.org/ | infected@irc ] Money is what gives a programmer his resources. It's an exchange system created by human beings. It surrounds us. Works for us, binds the economy together.
Current thread:
- mutt x.x Paul Boehm (Jul 28)