|
COMMAND mutt buffer overflow in IMAP client SYSTEMS AFFECTED Mutt 1.4.x, 1.5.x ? PROBLEM Thomas Roessler says : A buffer overflow in mutt's IMAP client code which was identified by Core Security Technologies, and fixed by Edmund Grimley Evans. Update (20 March 2003) ====== In Core Security Technologies Advisory [CORE-20030304-02] : This vulnerability was found by Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera from Core Security Technologies during Bugweek 2003 (March 3-7, 2003) http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10 --snip-- According to the RFC2060 (INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1), section 5.1.3: "By convention, international mailbox names are specified using a modified version of the UTF-7 encoding described in [UTF-7]." When mutt has to convert from its internal representation in UTF-8 to UTF-7-like encoding it calls indirectly the function utf8_to_utf7() in module imap/utf7.c. The aforementioned function miscalculates the maximum output length; therefore provided that one can control the IMAP server, it is possible to craft a folder name that will generate output at least 50% larger than the calculated maximum. These perl oneliners will generate two different folder names whose length is past the calculated maximum: perl -e 'print (chr(0x10) x 20)' perl -e 'print ((chr(0x10) . chr(0x41)) x 20)' --snap-- SOLUTION Mutt versions 1.4.1 and 1.5.4 have just been released and will soon be available from : ftp://ftp.mutt.org/mutt/