[ http://www.rootshell.com/ ]

Date:         Tue, 28 Jul 1998 20:17:57 +0200
From:         Paul Boehm <paul@BOEHM.ORG>
Subject:      mutt x.x

Hi, all (newer??) versions of mutt have got an overflowable buffer in
parse.c. When sending an specially formated Content-Type in the header you
can, when putting special purpose shellcode that doesn't contain any / ; \n
and spaces execute arbitary code on the mutt running user's system.

The overflows occurs when opening the mailbox containing the malicious
email. So, you don't even have to view that "evil" email for this to work.

Michael Elkins(mutt author) has already been notified. My personal(non
official) patch is included, expect an official patch(new version?) from him
soon.

Use this patch against mutt 0.93(i):

--snip--
--- parse.c.old Tue Jul 28 18:25:50 1998
+++ parse.c     Tue Jul 28 18:25:56 1998
@@ -268,7 +268,7 @@
   if ((pc = strchr(s, '/')))
   {
     *pc++ = 0;
-    while (*pc && !ISSPACE (*pc) && *pc != ';')
+    while (*pc && !ISSPACE (*pc) && *pc != ';' && i < (SHORT_STRING - 1))
     {
       buffer[i++] = *pc;
       pc++;
--snip--

bye,
    paul

--

[ Paul S. Boehm | paul@boehm.priv.at | http://paul.boehm.org/ | infected@irc ]

Money is what gives a programmer his resources. It's an exchange system created
by human beings. It surrounds us. Works for us, binds the economy together.