oss-sec mailing list archives
CVE request: mutt: heap-based buffer overflow in mutt_substrdup()
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 27 Nov 2014 14:49:27 +1100
Good morning, Jakub Wilk reported a crash in mutt: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125 Looking in mutt-1.5.23-2.fc20.x86_64: char *mutt_substrdup (const char *begin, const char *end) { size_t len; char *p; if (end) len = end - begin; else len = strlen (begin); p = safe_malloc (len + 1); memcpy (p, begin, len); p[len] = 0; return p; }"end" can be less than "begin", and in this case -1 tries to be stored in the unsigned int len. The safe_malloc will therefore be called with "0" (due to the +1), and then the following memcpy will use the huge len.
(gdb) b mutt_substrdup Breakpoint 1 at 0x46daf0: file lib.c, line 814. (gdb) c Continuing. Breakpoint 1, mutt_substrdup (begin=begin@entry=0xe4b630 "From jwilk () jwilk net Wed Nov 26 18:01:22 2014\nFrom:\n\rI\n",
end=end@entry=0xe4b65e "From:\n\rI\n") at lib.c:814 814 { (gdb) c Continuing. Breakpoint 1, mutt_substrdup (begin=begin@entry=0xe4b65e "From:\n\rI\n", end=end@entry=0xe4b662 ":\n\rI\n") at lib.c:814 814 { (gdb) c Continuing.Breakpoint 1, mutt_substrdup (begin=0xe4b665 "I\n", end=end@entry=0xe4b664 "\rI\n") at lib.c:814
814 { (gdb) x/s begin 0xe4b665: "I\n" (gdb) x/s end 0xe4b664: "\rI\n" (gdb) n 818 if (end) (gdb) n 819 len = end - begin; (gdb) n 823 p = safe_malloc (len + 1); (gdb) p len $1 = 18446744073709551615 (gdb) p len + 1 $2 = 0 We haven't looked yet where the overlap occurs, nor have a patch yet. I did have to put "set weed=off" in .muttrc for the issue to present. Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Murray McAllister (Nov 26)
- Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Murray McAllister (Nov 26)
- Bug#771125: Info received ([oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup()) Debian Bug Tracking System (Nov 27)
- Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Murray McAllister (Nov 26)
- Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() cve-assign (Nov 26)
- Re: Bug#771125: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() Antonio Radici (Nov 27)