#3716: mutt: write_one_header can call mutt_substrdup with begin > end, leading
to
crash
--------------------+----------------------
Reporter: thoger | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: mutt | Version: 1.5.23
Keywords: |
--------------------+----------------------
The same problem that was previously reported in ticket #3609. Somewhat
corrupted mail headers can cause mutt to call mutt_substrdup with begin >
end, which leads to crash. Test case can be found in the Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125
Run with:
$ mutt -R -f crasher.mbox -e 'set weed=no'
As far as I can see, the original fix, that made write_one_header only
skip space and tab, was regressed in this commit, which made it skip \r
and \n again:
http://dev.mutt.org/trac/changeset/f251d523ca5a#file9
Note that this got CVE-2014-9116 assigned, even though this does not seem
to allow code execution.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3716>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
