COMMAND

	mutt buffer overflow in IMAP client

SYSTEMS AFFECTED

	Mutt 1.4.x, 1.5.x ?

PROBLEM

	Thomas Roessler says :
	
	A buffer overflow in mutt's IMAP client code  which  was  identified  by
	Core Security Technologies, and fixed by Edmund Grimley Evans.
	
	 Update (20 March 2003)
	 ======
	
	In Core Security Technologies Advisory [CORE-20030304-02] :
	
	This vulnerability  was  found  by  Diego  Kelyacoubian,  Javier  Kohen,
	Alberto Solino, and Juan Vera from  Core  Security  Technologies  during
	Bugweek 2003 (March 3-7, 2003)
	
	 http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10
	
	--snip--
	
	According to the RFC2060 (INTERNET MESSAGE  ACCESS  PROTOCOL  -  VERSION
	4rev1), section 5.1.3: "By convention, international mailbox  names  are
	specified using a modified version of the UTF-7  encoding  described  in
	[UTF-7]."
	
	When mutt has to convert from its internal representation  in  UTF-8  to
	UTF-7-like encoding it calls indirectly the function  utf8_to_utf7()  in
	module  imap/utf7.c.  The  aforementioned  function  miscalculates   the
	maximum output length; therefore provided that one can control the  IMAP
	server, it is possible to craft a folder name that will generate  output
	at least 50% larger than the calculated maximum.
	
	These perl oneliners will generate  two  different  folder  names  whose
	length is past the calculated maximum:
	
	   perl -e 'print (chr(0x10) x 20)'
	   perl -e 'print ((chr(0x10) . chr(0x41)) x 20)'
	
	
	--snap--

SOLUTION

	Mutt versions 1.4.1 and 1.5.4 have just been released and will  soon  be
	available from :
	
	 ftp://ftp.mutt.org/mutt/