[Pkg-mutt-maintainers] Bug#859652: mutt: Crashes when trying to display (or fetch) a specific S/MIME-signed message

Axel Beckert axel at ethz.ch
Wed Apr 5 14:42:51 UTC 2017 

Package: mutt
Version: 1.7.2-1
Severity: important
Tags: security

Dear Maintainer,

for the first time since upgrading to Stretch a few months ago, mutt
crashed when I pressed enter on mail -- both when viewing locally as
well as via IMAP). Starting up mutt again and trying to display that
mail again crashes again, i.e. it seems to be reproducible.

Here's a backtrace made from the coredump:

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007fd336bbc895 in __GI__IO_fputs (str=0x0, fp=0x55b6136a45d0) at iofputs.c:33
#2  0x000055b6127122dc in print_smime_keyinfo (msg=0x55b612761572 "Problem signature from:", key=key at entry=0x0, s=s at entry=0x7fff04837490, sig=<optimized out>, sig=<optimized out>) at ../../crypt-gpgme.c:1375
#3  0x000055b61271282c in show_one_sig_status (ctx=ctx at entry=0x55b6134741c0, idx=idx at entry=0, s=s at entry=0x7fff04837490) at ../../crypt-gpgme.c:1491
#4  0x000055b61271332c in verify_one (s=0x7fff04837490, tempfile=<optimized out>, is_smime=<optimized out>, sigbdy=<optimized out>, sigbdy=<optimized out>) at ../../crypt-gpgme.c:1576
#5  0x000055b61269717e in mutt_signed_handler (a=0x55b61384f900, a at entry=0x55b61386e800, s=s at entry=0x7fff04837490) at ../../crypt.c:1005
#6  0x000055b6126bf119 in run_decode_and_handler (b=b at entry=0x55b61386e800, s=s at entry=0x7fff04837490, handler=handler at entry=0x55b612696d40 <mutt_signed_handler>, plaintext=plaintext at entry=0) at ../../handler.c:1697
#7  0x000055b6126bf481 in mutt_body_handler (b=b at entry=0x55b61386e800, s=s at entry=0x7fff04837490) at ../../handler.c:1842
#8  0x000055b6126a05fb in _mutt_copy_message (fpout=fpout at entry=0x55b6136a45d0, fpin=0x55b6136b9150, hdr=hdr at entry=0x55b61386e260, body=0x55b61386e800, flags=flags at entry=2124, chflags=<optimized out>, chflags at entry=262294) at ../../copy.c:695
#9  0x000055b6126a0b6b in mutt_copy_message (fpout=0x55b6136a45d0, src=0x55b612f7bb50, hdr=hdr at entry=0x55b61386e260, flags=flags at entry=2124, chflags=262294) at ../../copy.c:783
#10 0x000055b6126987c8 in mutt_display_message (cur=0x55b61386e260) at ../../commands.c:159
#11 0x000055b6126a7f0c in mutt_index_menu () at ../../curs_main.c:2041
#12 0x000055b612688f16 in main (argc=1, argv=<optimized out>, environ=<optimized out>) at ../../main.c:896

Thunderbird can display the mail and says that the S/MIME signature is
not valid.

In case the backtrace above does not suffice to find the issue, I can
probably provide the mail in private.

I'm not 100% sure if this might be a security issue. It is at least
usable as DOS against mutt users and mutt crashes on input received from
untrusted sources. No idea if that might be used for remote code
execution or similar. So to be on the safe side, I'm tagging this as
"security".

Security team: Please remove this tag if you think that this issue does
not validate further investigation from a security point of view.

-- Package-specific info:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mutt-maintainers/attachments/20170405/d1a39e14/attachment.ksh>
-------------- next part --------------

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages mutt depends on:
ii  libassuan0        2.4.3-2
ii  libc6             2.24-9
ii  libcomerr2        1.43.4-2
ii  libgnutls30       3.5.8-3
ii  libgpg-error0     1.26-2
ii  libgpgme11        1.8.0-3+b2
ii  libgssapi-krb5-2  1.15-1
ii  libidn11          1.33-1
ii  libk5crypto3      1.15-1
ii  libkrb5-3         1.15-1
ii  libncursesw5      6.0+20161126-1
ii  libnotmuch4       0.23.7-3
ii  libsasl2-2        2.1.27~101-g0780600+dfsg-3
ii  libtinfo5         6.0+20161126-1
ii  libtokyocabinet9  1.4.48-11+b1

Versions of packages mutt recommends:
ii  libsasl2-modules  2.1.27~101-g0780600+dfsg-3
ii  locales           2.24-9
ii  mime-support      3.60

Versions of packages mutt suggests:
ii  aspell                          0.60.7~20110707-3+b2
ii  ca-certificates                 20161130
ii  gnupg                           2.1.18-6
ii  ispell                          3.4.00-5
pn  mixmaster                       <none>
ii  openssl                         1.1.0e-1
ii  postfix [mail-transport-agent]  3.1.4-4
pn  urlview                         <none>

Versions of packages mutt is related to:
ii  mutt  1.7.2-1

-- no debconf information

More information about the Pkg-mutt-maintainers mailing list