Debian has issued an advisory today (March 12):
The Debian bug is here:
Steps to Reproduce:
Here's the actual DSA link:
fixed with mutt-1.5.21-13.mga5, mutt-1.5.21-12.1.mga4, mutt-1.5.21-10.1.mga3.
Updated mutt packages fix security vulnerabilities:
A heap-based buffer overflow flaw was found in the way mutt processed certain
email headers. A remote attacker could use this flaw to send an email with
specially crafted headers that, when processed, could cause mutt to crash or,
potentially, execute arbitrary code with the permissions of the user running
Updated packages in core/updates_testing:
Tested MGA4 on real 64-bit hardware. OK.
To get the orginal fault to happen, *this* link is the one:
msgs 17 & 22.
The catch, once you get the unzipped given test msgbox file:
mutt -f [path-to]mutt_killing_message_from_DebianBTS
As released, this crashed Mutt (in my case once a segfault, subsequently a malloc() error which seized up the console).
Updated to testing version 12.1, and using 'h' on the test msgbox file gave no error. OK.
Testing complete mga3 32 & 64 vbox
Following Lewis procedure and pressing h causes a segfault. Fixed by the update.
Testing complete mga4 32
Validating. Advisory previously uploaded.
Could sysadmin please push to 3 & 4 updates