Debian Bug report logs - #771125
mutt: CVE-2014-9116: write_one_header can call mutt_substrdup with begin > end, leading to crash

Display info messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mutt: buffer overflow

Date: Thu, 27 Nov 2014 00:37:49 +0100

[Message part 1 (text/plain, inline)]

Package: mutt
Version: 1.5.23-1.1
Tags: security

mutt segfaults when trying to show the attached message. (You might need 
to disable header weeding to trigger the crash.)

Backtrace:

#0  __memcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../memcpy.S:90
#1  0x080b74fa in memcpy (__len=4294967295, __src=0x8a45b65, __dest=0x8a45b65) at /usr/include/i386-linux-gnu/bits/string3.h:51
#2  mutt_substrdup (begin=0x8a45b65 "I\n", end=0x8a45b64 "\rI\n") at ../lib.c:824
#3  0x080ac13f in write_one_header (fp=0x8a45b65, pfxw=0, max=2147483647, wraplen=180, pfx=0x0, start=0x8a45b5e "From:\n\rI\n", end=0x8a45b64 "\rI\n", flags=262164) at ../sendlib.c:1818
#4  0x080aefaa in mutt_write_one_header (fp=0x8a45900, tag=0x8a45b5e "From:\n\rI\n", value=0x8a45b63 "\n\rI\n", pfx=0x0, wraplen=180, flags=262164) at ../sendlib.c:1894
#5  0x0806248a in mutt_copy_hdr (in=0x0, out=0x8a45900, off_start=622720505018843140, off_end=<optimized out>, flags=262164, prefix=0x0) at ../copy.c:290
#6  0x08062bad in mutt_copy_header (in=0x7fffffff, h=0x8a44668, out=0x8a45900, flags=262164, prefix=0x0) at ../copy.c:351
#7  0x08062fbf in _mutt_copy_message (fpout=0x8a45900, fpin=0x8a3b3e8, hdr=0x8a44668, body=0x8a44750, flags=76, chflags=262164) at ../copy.c:571
#8  0x0806363b in mutt_copy_message (fpout=0x8a45900, src=0x8a3b910, hdr=0x8a44668, flags=76, chflags=262164) at ../copy.c:688
#9  0x0805c3b6 in mutt_display_message (cur=0x8a44668) at ../commands.c:148
#10 0x08068e9a in mutt_index_menu () at ../curs_main.c:1227
#11 0x0804e696 in main (argc=<optimized out>, argv=0xffc99284) at ../main.c:1056


This bug was brought to you by American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mutt depends on:
ii  libassuan0         2.1.2-2
ii  libc6              2.19-13
ii  libcomerr2         1.42.12-1
ii  libgnutls-deb0-28  3.3.8-5
ii  libgpg-error0      1.17-2
ii  libgpgme11         1.5.1-6
ii  libgssapi-krb5-2   1.12.1+dfsg-15
ii  libidn11           1.29-1
ii  libk5crypto3       1.12.1+dfsg-15
ii  libkrb5-3          1.12.1+dfsg-15
ii  libncursesw5       5.9+20140913-1
ii  libsasl2-2         2.1.26.dfsg1-12
ii  libtinfo5          5.9+20140913-1
ii  libtokyocabinet9   1.4.48-3

-- 
Jakub Wilk

[crasher.mbox.gz (application/gzip, attachment)]

Message #8 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 771125@bugs.debian.org

Subject: CVE request: mutt: heap-based buffer overflow in mutt_substrdup()

Date: Thu, 27 Nov 2014 14:49:27 +1100

Good morning,

Jakub Wilk reported a crash in mutt:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125

Looking in mutt-1.5.23-2.fc20.x86_64:

char *mutt_substrdup (const char *begin, const char *end)
{
  size_t len;
  char *p;

  if (end)
    len = end - begin;
  else
    len = strlen (begin);

  p = safe_malloc (len + 1);
  memcpy (p, begin, len);
  p[len] = 0;
  return p;
}

"end" can be less than "begin", and in this case -1 tries to be stored 
in the unsigned int len. The safe_malloc will therefore be called with 
"0" (due to the +1), and then the following memcpy will use the huge len.

(gdb) b mutt_substrdup
Breakpoint 1 at 0x46daf0: file lib.c, line 814.
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (
    begin=begin@entry=0xe4b630 "From jwilk@jwilk.net Wed Nov 26 
18:01:22 2014\nFrom:\n\rI\n",
    end=end@entry=0xe4b65e "From:\n\rI\n") at lib.c:814
814     {
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (begin=begin@entry=0xe4b65e "From:\n\rI\n",
    end=end@entry=0xe4b662 ":\n\rI\n") at lib.c:814
814     {
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (begin=0xe4b665 "I\n", 
end=end@entry=0xe4b664 "\rI\n") at lib.c:814
814     {
(gdb) x/s begin
0xe4b665:       "I\n"
(gdb) x/s end
0xe4b664:       "\rI\n"
(gdb) n
818       if (end)
(gdb) n
819         len = end - begin;
(gdb) n
823       p = safe_malloc (len + 1);
(gdb) p len
$1 = 18446744073709551615
(gdb) p len + 1
$2 = 0

We haven't looked yet where the overlap occurs, nor have a patch yet.

I did have to put "set weed=off" in .muttrc for the issue to present.

Cheers,

--
Murray McAllister / Red Hat Product Security

Message #13 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 771125@bugs.debian.org

Subject: Re: [oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup()

Date: Thu, 27 Nov 2014 15:11:12 +1100

> I did have to put "set weed=off" in .muttrc for the issue to present.

Sorry, that should be "no" not "off".

Cheers

Message #18 received at 771125@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 771125@bugs.debian.org

Subject: Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup()

Date: Wed, 26 Nov 2014 23:14:17 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125

> mutt segfaults when trying to show the attached message. (You might need
> to disable header weeding to trigger the crash.)

Use CVE-2014-9116.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdqNtAAoJEKllVAevmvmscpAH/jk/zrAJ6CLbMJFLajS5yni6
f71G0MEEcxN8cz0uf/POKU/h/Qc9C9icE72y6yJigqdsPiCuR2+FLb3Y1xnXXVRX
2OwWidx1wU7ZKXOr0pB3qVipJHKd2iWVAfFtFu0Bh045GMqikGXUOEaAYeMVrxTk
hPOXUnPhHcWmERU+5t+hMhvrBCJFj22vKFX4pTGJhhAvRVFy89hVsG18Nq8EckzC
at5yxo5s0o/iGZtEv5kIdXGq6aOIdfxBfgV4lFjIYrSgJmiBUxlQdQ7usTJrgV7x
KzYGepBbJ6VuUuninBlhBbllryFlccXyytAtN20r3XKOjm7H7H2BsS8FfPY+c2Q=
=u27J
-----END PGP SIGNATURE-----

Message #29 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@dyne.org>

To: mmcallis@redhat.com, 771125@bugs.debian.org

Cc: oss-security@lists.openwall.com

Subject: Re: Bug#771125: CVE request: mutt: heap-based buffer overflow in mutt_substrdup()

Date: Thu, 27 Nov 2014 11:37:51 +0000

On Thu, Nov 27, 2014 at 02:49:27PM +1100, Murray McAllister wrote:
> Good morning,
> 
> Jakub Wilk reported a crash in mutt:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125
> 
> Looking in mutt-1.5.23-2.fc20.x86_64:
[...]

I'll have a patch/solution ready for this by tonight; thanks for reporting it.

Message #34 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@debian.org>

To: team@security.debian.org

Cc: 771125@bugs.debian.org

Subject: please review mutt-1.5.21-6.2+deb7u3

Date: Thu, 27 Nov 2014 22:13:39 +0000

[Message part 1 (text/plain, inline)]

Hi,
this patch fixes the buffer overflow + RCE in the mutt version that is
currently in stable; I have already got the packages built and ready to be
uploaded.

Bug: http://bugs.debian.org/771125
CVE: CVE-2014-9116

Debdiff of the *dsc against the current version in stable is attached; let me
know if you need anything else.

Cheers
Antonio

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@debian.org>

To: team@security.debian.org

Cc: 771125@bugs.debian.org

Subject: Re: Bug#771125: please review mutt-1.5.21-6.2+deb7u3

Date: Thu, 27 Nov 2014 22:26:37 +0000

[Message part 1 (text/plain, inline)]

And the attachment is now, actually, attached :)

On Thu, Nov 27, 2014 at 10:13:39PM +0000, Antonio Radici wrote:
> Hi,
> this patch fixes the buffer overflow + RCE in the mutt version that is
> currently in stable; I have already got the packages built and ready to be
> uploaded.
> 
> Bug: http://bugs.debian.org/771125
> CVE: CVE-2014-9116
> 
> Debdiff of the *dsc against the current version in stable is attached; let me
> know if you need anything else.
> 
> Cheers
> Antonio

[mutt-debdiff-1.5.21-6.2+deb7u2-1.5.21-6.2+deb7u3.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@debian.org>

To: 771125@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#771125: please review mutt-1.5.21-6.2+deb7u3

Date: Thu, 27 Nov 2014 22:42:35 +0000

[Message part 1 (text/plain, inline)]

A better debdiff is included, this does not include two vim artifacts at the
end of the first patch, sorry for the inconvenience.

On Thu, Nov 27, 2014 at 10:26:37PM +0000, Antonio Radici wrote:
> And the attachment is now, actually, attached :)
> 
> On Thu, Nov 27, 2014 at 10:13:39PM +0000, Antonio Radici wrote:
> > Hi,
> > this patch fixes the buffer overflow + RCE in the mutt version that is
> > currently in stable; I have already got the packages built and ready to be
> > uploaded.
> > 
> > Bug: http://bugs.debian.org/771125
> > CVE: CVE-2014-9116
> > 
> > Debdiff of the *dsc against the current version in stable is attached; let me
> > know if you need anything else.
> > 
> > Cheers
> > Antonio

[mutt-debdiff-1.5.21-6.2+deb7u2-1.5.21-6.2+deb7u3.diff-1 (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@dyne.org>

To: 771125@bugs.debian.org

Cc: control@bugs.debian.org

Subject: notfound mutt/1.5.23-1.1

Date: Thu, 27 Nov 2014 23:09:08 +0000

notfound 771125 mutt/1.5.23-1.1
thanks

It seems that the bug is not reproducible on the latest version in
unstable/testing.

Message #56 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@dyne.org>

To: team@security.debian.org, 771125@bugs.debian.org

Subject: Re: Bug#771125: please review mutt-1.5.21-6.2+deb7u3

Date: Thu, 27 Nov 2014 23:36:55 +0000

[Message part 1 (text/plain, inline)]

On Thu, Nov 27, 2014 at 10:42:35PM +0000, Antonio Radici wrote:
> A better debdiff is included, this does not include two vim artifacts at the
> end of the first patch, sorry for the inconvenience.

Again, another debdiff; this time the patch has been modified to correctly skip
the case where end == NULL, which is handled later in the function; if that case
is not used instead, then mutt will segfault frequently.

I expect this to be the last and final debdiff; please disregard the two
previous ones.

[debdiff-mutt-1.5.21-6.2+deb7u2-1.5.21-6.2+deb7u3.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #61 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Antonio Radici <antonio@dyne.org>, 771125@bugs.debian.org

Subject: Re: Bug#771125: notfound mutt/1.5.23-1.1

Date: Fri, 28 Nov 2014 08:08:11 +0100

Control: found -1 1.5.23-1.1

Hi Antonio

On Thu, Nov 27, 2014 at 11:09:08PM +0000, Antonio Radici wrote:
> notfound 771125 mutt/1.5.23-1.1
> thanks
> 
> It seems that the bug is not reproducible on the latest version in
> unstable/testing.

It should, the reproducer works here for me, have you 'set weed=no'
set?

It is the same issue also still in unstable. Upstrem originally
addressed the fix in http://dev.mutt.org/trac/changeset/897dcc62e4aa
but then with the introduction of skip_email_wsp() the problem
reappers, as newlines are skipped again:

http://dev.mutt.org/trac/changeset/f251d523ca5a

EMAIL_WSP is '\t\r\n' there.

Regards,
Salvatore

Message #68 received at 771125@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@dyne.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 771125@bugs.debian.org

Subject: Re: Bug#771125: notfound mutt/1.5.23-1.1

Date: Fri, 28 Nov 2014 07:35:42 +0000

On Fri, Nov 28, 2014 at 08:08:11AM +0100, Salvatore Bonaccorso wrote:
> Control: found -1 1.5.23-1.1
> 
> Hi Antonio
> 
> On Thu, Nov 27, 2014 at 11:09:08PM +0000, Antonio Radici wrote:
> > notfound 771125 mutt/1.5.23-1.1
> > thanks
> > 
> > It seems that the bug is not reproducible on the latest version in
> > unstable/testing.
> 
> It should, the reproducer works here for me, have you 'set weed=no'
> set?
> 
> It is the same issue also still in unstable. Upstrem originally
> addressed the fix in http://dev.mutt.org/trac/changeset/897dcc62e4aa
> but then with the introduction of skip_email_wsp() the problem
> reappers, as newlines are skipped again:
> 
> http://dev.mutt.org/trac/changeset/f251d523ca5a
> 
> EMAIL_WSP is '\t\r\n' there.

Yes, it seems correct; in this case, apart from backporting the lib.c fix that
you saw already, I think that the correct course of action is to remove the
newlien form EMAIL_WSP, as newlines are not defined as whitespace characters in
the RFC; does that sound ok to you?

Cheers
Antonio

Message #85 received at 771125-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 771125-close@bugs.debian.org

Subject: Bug#771125: fixed in mutt 1.5.20-9+squeeze4

Date: Fri, 05 Dec 2014 19:18:54 +0000

Source: mutt
Source-Version: 1.5.20-9+squeeze4

We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771125@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated mutt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 04 Dec 2014 19:24:00 +0100
Source: mutt
Binary: mutt mutt-patched mutt-dbg
Architecture: source i386
Version: 1.5.20-9+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Antonio Radici <antonio@dyne.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 mutt       - text-based mailreader supporting MIME, GPG, PGP and threading
 mutt-dbg   - debugging symbols for mutt
 mutt-patched - the Mutt Mail User Agent with extra patches
Closes: 771125
Changes: 
 mutt (1.5.20-9+squeeze4) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Fix an incorrect use of mutt_substrdup() in write_one_header()
     reported in CVE-2014-0467 (Closes: #771125)
Checksums-Sha1: 
 ae333f76fa0fe8b39d0b4bdbf891b408eb22802e 2210 mutt_1.5.20-9+squeeze4.dsc
 d2bec7a33771f128ca49b1723b06b6d248a35d31 3635047 mutt_1.5.20.orig.tar.gz
 adea78d9e1082f0735205655075e0f26f2b9b036 171488 mutt_1.5.20-9+squeeze4.diff.gz
 81d54d56dbb16b839b9e21fe22a70ab2c4ca9aeb 2036882 mutt_1.5.20-9+squeeze4_i386.deb
 643074b4ed7a5f22739585da3a53adfd3e2e3989 390286 mutt-patched_1.5.20-9+squeeze4_i386.deb
 bb9b849274864d653e7bc5956fbfe961946e5e59 1378096 mutt-dbg_1.5.20-9+squeeze4_i386.deb
Checksums-Sha256: 
 e348dfc244aebc285cb6d5136ba553a9c62683ce98ead4e2b5dfcf8c34dfa31f 2210 mutt_1.5.20-9+squeeze4.dsc
 9579fc079d74ff5c89223ff09df402ef4e508ba8ca925c49e74aa09c02a9a796 3635047 mutt_1.5.20.orig.tar.gz
 357fe43f74502055c2f57720be6ce527ce62b685889956d8c5a2bb7e6e9b43d0 171488 mutt_1.5.20-9+squeeze4.diff.gz
 c3a94b953ce4febed4c2fd6f04cefe2cad4674e1a7890ae1d4c3833efd825593 2036882 mutt_1.5.20-9+squeeze4_i386.deb
 b348ff588ab96826c9db12be7db1c86b46789f8cb9ec5627f7306fc6e5ee0d69 390286 mutt-patched_1.5.20-9+squeeze4_i386.deb
 13a6b99e2195edfe36171fa480f794eceb699b30690f1bfd05362d6b5a2102d2 1378096 mutt-dbg_1.5.20-9+squeeze4_i386.deb
Files: 
 619aed91ee04d18e2afb07c5440deb0e 2210 mail standard mutt_1.5.20-9+squeeze4.dsc
 027cdd9959203de0c3c64149a7ee351c 3635047 mail standard mutt_1.5.20.orig.tar.gz
 3ac202841013181ebf2b74a515e927b5 171488 mail standard mutt_1.5.20-9+squeeze4.diff.gz
 b50937a18fd94cbdb4c39e258cf2eab9 2036882 mail standard mutt_1.5.20-9+squeeze4_i386.deb
 0da491f252bebc271e32515e41a49056 390286 mail extra mutt-patched_1.5.20-9+squeeze4_i386.deb
 4a32dcd19da2ef1823260b38ca736b0d 1378096 debug extra mutt-dbg_1.5.20-9+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUggCUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHt5MP/2qFVJKVoPUQfZbGYztSFh8c
dXNR6qedXdY8wVbUWN7T8gWrUVZtE5ErHWSdSHENXtJUXbDmTZ8k5L50BWtBvkry
bYbox/LoLoqTKDXEvzwoIEi6pLy5UD/EaVxU3lKfSlm3Fibu/v/aX2tEDk/xWOd2
Ad5U/mA1rkd6N+CSoBm75RqbmuqZiVIkyOJRio6CPTqdJbR3xpEwh/fO1UtQw93B
fd54DRPYPON0qc60ctVGPUZGV/2eJNxLEK5QQ2aGEXytdVv1buWNj6HYugDiQe1d
T1x+Nt1ik/46ImSlG79npF5mJozDCuYJ6FPU8Y56X0tNiec2DKnUcwV+c9ZhORX/
zSSYUuH8QE4PXQGxCpsydWOPQfnD3H6SfMomO/2pfuHxDTHg9JCQgi/lE+3GCJKs
PuKxrEr0owcXhwmNFZozQ6+Pxk7UJ7WqmXEIR3GPjKNQDSXv24Vbb6y+TH/H+2N0
2Od66KXXcBRNy1opP3jO7G5tyBgRi+32aGZMcvdxtIabOwDPwY0s4xMFwnbcbFOL
CraTBcMvLINChsP3qFnzTTEfpPlMiFRZvSh+0Cxz/6iseLsLsIUeIv2Ba1dzoJFo
pbz4/4CBMA/ORWnypd5KroveWo1UG5VEcniFOeSSnETeVUjkwkrkqnrOA/0AQ05S
XT1cfUIH9VIwr+upaUNY
=yJeN
-----END PGP SIGNATURE-----

Message #90 received at 771125-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Radici <antonio@dyne.org>

To: 771125-close@bugs.debian.org

Subject: Bug#771125: fixed in mutt 1.5.21-6.2+deb7u3

Date: Mon, 08 Dec 2014 15:32:41 +0000

Source: mutt
Source-Version: 1.5.21-6.2+deb7u3

We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 771125@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Radici <antonio@dyne.org> (supplier of updated mutt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Nov 2014 17:10:22 +0000
Source: mutt
Binary: mutt mutt-patched mutt-dbg
Architecture: source amd64
Version: 1.5.21-6.2+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Antonio Radici <antonio@dyne.org>
Changed-By: Antonio Radici <antonio@dyne.org>
Description: 
 mutt       - text-based mailreader supporting MIME, GPG, PGP and threading
 mutt-dbg   - debugging symbols for mutt
 mutt-patched - Mutt Mail User Agent with extra patches
Closes: 771125
Changes: 
 mutt (1.5.21-6.2+deb7u3) wheezy-security; urgency=high
 .
   * Fix an incorrect use of mutt_substrdup() in write_one_header() reported in
     CVE-2014-0467 (Closes: 771125)
Checksums-Sha1: 
 e81a3acb65090030b03b59eb97cfe5630b54e581 2174 mutt_1.5.21-6.2+deb7u3.dsc
 b9c40003c06d53e678be01b69e271ae3e3b768a7 185096 mutt_1.5.21-6.2+deb7u3.diff.gz
 b96e8feed24508805930ecfe3654c43ee8ee8693 1388878 mutt_1.5.21-6.2+deb7u3_amd64.deb
 4cd6cd4926a51e233e4eddadefa0776e462adf6a 374888 mutt-patched_1.5.21-6.2+deb7u3_amd64.deb
 727222b191004c4d12f726f8faa1b25206848e6d 1200158 mutt-dbg_1.5.21-6.2+deb7u3_amd64.deb
Checksums-Sha256: 
 7502f360684050bcf4870bc71ed60062c06b2eefdbe6d56ae46ee95879519966 2174 mutt_1.5.21-6.2+deb7u3.dsc
 fb4bf0c9fed7aa8969f0d22e0af27f2f245754f2107aac2ae1d2787de69a57af 185096 mutt_1.5.21-6.2+deb7u3.diff.gz
 3a36dbd3ff4b4f92479b9318c6c9b2d8a66842d88e75409bee99e659dcf2abfd 1388878 mutt_1.5.21-6.2+deb7u3_amd64.deb
 b628b7a6138343b17279eaac8a0247fec4d8c798fa867960fff2747b21df1d08 374888 mutt-patched_1.5.21-6.2+deb7u3_amd64.deb
 46735aee0aabef27fc8c4b5c0e1b0db4449e68bf4f2685ba43f7d5ebe2744b7b 1200158 mutt-dbg_1.5.21-6.2+deb7u3_amd64.deb
Files: 
 fae84aca6fd336e848f790b475f70d58 2174 mail standard mutt_1.5.21-6.2+deb7u3.dsc
 f67209091cca82999bac93eb72fc7149 185096 mail standard mutt_1.5.21-6.2+deb7u3.diff.gz
 e30ac002a09416cf81fc1378bfdf63a0 1388878 mail standard mutt_1.5.21-6.2+deb7u3_amd64.deb
 bbd239eac1fdffa2b93e9fb42510c8a9 374888 mail extra mutt-patched_1.5.21-6.2+deb7u3_amd64.deb
 642374362e2b7cb7d02b7cfb11f29d0d 1200158 debug extra mutt-dbg_1.5.21-6.2+deb7u3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJUegpZAAoJEDXIyIhyyx7twgoQALogTrLqjscvyOZ1Rj/UWgVX
gXO84YbPYy/DFiiBpJ2bNglv5Jv6HHtIv18u6F8gk2L6RHlLIRMDy1TmPrnI+vZW
imdmzvbrloKBR1bYqRy4ycaEgvcBXynuubm8sRC98qGqDt1zm37B++Q5sLEdh7hN
QY7UbP4YDLenL4dDfhub0APTZ7S+kAYuBWw1zzepY1qOJi7QPvp+OKMXalcWvIsL
Qjhvvnb4zpNWwqQ6/KJLMxuAFdQWXrqflBjRUbSUjBBeXqiflUG6ulwgbq5JYqkn
51e3PB/c2Ysxq8aWKEzCtz1KDFCr9d4THuMLD2MHj8LzuARUKK1ns0S4JTAbPxmU
ozclLD3WMGv4yFCv/Gg41DpBHVETZBPkAFwgp4jX3/TM64/80gEDgrZs+yd9ofYM
3C2ewSg3jAWPwz2sA/1mUduCes+PmHKBkQ4cVTjbn4rOLWfg38DaDRUVeQE184vq
S5o9xZPwM4lX9J+dbxMGR02CbBauAaDqSwLjCom7jcGXif8iQB57nK9U7zrU8RLk
2a/ASG4zkaWgIt6CKYcZ8OJuIwCK9EhagTVt6t67BnymgBDBvOapfqpFPdpoPDHw
kZC7v8Y2rxavdOIoacZGYY4zFKUiVzVouRzlqlCq6DFw586P9kyzIhkesRhcVXLc
9gLjywpIa5ejyfmke6xY
=COe4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.