-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.24: Remotely exploitable buffer overflow in mutt. Topic: Remotely exploitable buffer overflow in mutt. Advisory issue date: August 7 1998 I. Problem Description A security problem with the mail user agent `mutt' was reported to the BUGTRAQ mailing list on July 29, 1998, concerning a buffer overflow(*). The buffer overflow can be triggered remotely by sending a specially formatted MIME message to the victim user. The bug is triggered the moment mutt opens and reads the mailbox. (*) The message ID is <19980728201757.A15055@boehm.org>; bugtraq is archived on http://www.geek-girl.com/bugtraq. II. Impact Description: An attacker can execute commands under the account of the victim user. Vulnerable Systems: OpenLinux 1.0, 1.1, & 1.2 systems using versions of mutt prior to mutt package release 0.93.1-2. III. Solution Correction: The proper solution is to Upgrade to the mutt-0.93.1-2 packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: f5125936ba171f9da861a2d39c61662a RPMS/mutt-0.93.1-2.i386.rpm f703d36a41fa581f49a98d05597bd827 SRPMS/mutt-0.93.1-2.src.rpm Upgrade with the following commands: rpm -q mutt && rpm -U RPMS/mutt-0.93.1-2.i386.rpm Notice Note that the names and the meaning of some options in the .muttrc configuration file have changed. The most important change is in the `move' option: originally, this option controlled the treatment of messages that had explicitly been moved to a different folder; setting it to `yes' turned off a question when leaving the program whether messages marked as `moved' should really be moved. In this version of mutt, setting move=yes means that all read messages are automatically moved to the ~/mbox folder. If you have a customized .muttrc file in your home directory, and do not wish read messages to be moved automatically, make sure that the move option is either commented out (it defaults to ask-no), or set it specifically, e.g. set move=ask-no # Ask, default answer is no or set move=no # Don't ask, don't move We advise you to reread the mutt user manual /usr/doc/mutt-0.93.1-2/manual.txt and the sample configuration file /usr/doc/mutt-0.93.1-2/sample.muttrc. IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on this problem can be found in message ID <19980728201757.A15055@boehm.org> archived on http://www.geek-girl.com/bugtraq. This security fix closes Caldera's internal Problem Report 4072. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.24.txt,v 1.3 1998/08/07 14:05:20 rf Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNcsJoOn+9R4958LpAQF26wQAlzts0SMFwG88FcwaNWHVLqNlCkufvxEx j3cWMCuGs3kkmI33Xx+u7XpI/6AjmAVlt9xWU9/ch93HJ2ISOkn/o2FROprmS2WM 7p/Oe8DZ6uOiJCYiQurwGgNiyW8FJZMp2MbEBPrR6TGziQJL1eG2j+GnOU0NRIxG 4dkvONp8Km0= =KrkT -----END PGP SIGNATURE-----