Bug 13004 - mutt new security issue CVE-2014-0467
: mutt new security issue CVE-2014-0467
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590373/
: MGA3TOO advisory mga4-32-ok MGA4-64-O...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-12 18:32 CET by David Walser
Modified: 2014-03-31 21:31 CEST (History)
6 users (show)

See Also:
Source RPM: mutt-1.5.21-12.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-12 18:32:04 CET
Debian has issued an advisory today (March 12):
https://lists.debian.org/debian-security-announce/2014/msg00045.html

The Debian bug is here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-13 16:31:31 CET
Here's the actual DSA link:
http://www.debian.org/security/2014/dsa-2874
Comment 2 Oden Eriksson 2014-03-18 13:10:44 CET
fixed with mutt-1.5.21-13.mga5, mutt-1.5.21-12.1.mga4, mutt-1.5.21-10.1.mga3.
Comment 3 David Walser 2014-03-18 18:01:49 CET
Thanks Oden!

Advisory:
========================

Updated mutt packages fix security vulnerabilities:

A heap-based buffer overflow flaw was found in the way mutt processed certain
email headers. A remote attacker could use this flaw to send an email with
specially crafted headers that, when processed, could cause mutt to crash or,
potentially, execute arbitrary code with the permissions of the user running
mutt (CVE-2014-0467).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467
https://rhn.redhat.com/errata/RHSA-2014-0304.html
========================

Updated packages in core/updates_testing:
========================
mutt-1.5.21-10.1.mga3
mutt-utf8-1.5.21-10.1.mga3
mutt-doc-1.5.21-10.1.mga3
mutt-1.5.21-12.1.mga4
mutt-utf8-1.5.21-12.1.mga4
mutt-doc-1.5.21-12.1.mga4

from SRPMS:
mutt-1.5.21-10.1.mga3.src.rpm
mutt-1.5.21-12.1.mga4.src.rpm
Comment 4 Lewis Smith 2014-03-18 21:43:26 CET
Tested MGA4 on real 64-bit hardware. OK.

To get the orginal fault to happen, *this* link is the one:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731
msgs 17 & 22.
The catch, once you get the unzipped given test msgbox file:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=mutt_killing_message_from_DebianBTS.gz;att=1;bug=708731
displayed with
 mutt -f [path-to]mutt_killing_message_from_DebianBTS
use 'h'.

As released, this crashed Mutt (in my case once a segfault, subsequently a malloc() error which seized up the console).

Updated to testing version 12.1, and using 'h' on the test msgbox file gave no error. OK.
Comment 5 claire robinson 2014-03-25 08:58:46 CET
Testing complete mga3 32 & 64 vbox

Following Lewis procedure and pressing h causes a segfault. Fixed by the update.
Comment 6 claire robinson 2014-03-25 09:04:36 CET
Testing complete mga4 32

Validating. Advisory previously uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 7 Pascal Terjan 2014-03-31 21:31:26 CEST
http://advisories.mageia.org/MGASA-2014-0141.html

Note You need to log in before you can comment on or make changes to this bug.