Bug 1215191 (CVE-2023-4875)

Summary: VUL-0: CVE-2023-4875: mutt: null pointer dereference when receiving an email
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Dr. Werner Fink <werner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377843/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4875:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-09-11 06:36:47 UTC 
For some reason, the rfc2047 base64 decoder ignored illegal
characters, instead of aborting.  This seems innocuous, but in fact
leads to at least three crash-bugs elsewhere in Mutt.

These stem from Mutt, in some cases, passing an entire header
field (name, colon, and body) to the rfc2047 decoder.  (It is
technically incorrect to do so, by the way, but is beyond scope for
these fixes in stable).  Mutt then assumes the result can't be empty
because of a previous check that the header contains at least a colon.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4875
https://bugzilla.redhat.com/show_bug.cgi?id=2238241
https://www.cve.org/CVERecord?id=CVE-2023-4875
https://security-tracker.debian.org/tracker/DSA-5494-1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051563
https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch
https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6.patch
https://www.debian.org/security/2023/dsa-5494
Comment 1 Gianluca Gabrielli 2023-09-11 06:37:33 UTC 
Affected packages:

 - SUSE:SLE-12:Update/mutt
 - SUSE:SLE-15:Update/mutt
 - openSUSE:Factory/mutt

Fixing commit:

 - https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch
Comment 3 OBSbugzilla Bot 2023-09-12 08:45:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215191) was mentioned in
https://build.opensuse.org/request/show/1110464 Factory / mutt
Comment 5 Maintenance Automation 2023-09-20 12:30:41 UTC 
SUSE-SU-2023:3702-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1215189, 1215191
CVE References: CVE-2023-4874, CVE-2023-4875
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): mutt-1.10.1-55.30.1
SUSE Linux Enterprise Server 12 SP5 (src): mutt-1.10.1-55.30.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): mutt-1.10.1-55.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-09-27 20:31:07 UTC 
SUSE-SU-2023:3826-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1215189, 1215191
CVE References: CVE-2023-4874, CVE-2023-4875
Sources used:
openSUSE Leap 15.4 (src): mutt-1.10.1-150000.3.26.1
openSUSE Leap 15.5 (src): mutt-1.10.1-150000.3.26.1
Basesystem Module 15-SP4 (src): mutt-1.10.1-150000.3.26.1
Basesystem Module 15-SP5 (src): mutt-1.10.1-150000.3.26.1
SUSE Manager Proxy 4.2 (src): mutt-1.10.1-150000.3.26.1
SUSE Manager Retail Branch Server 4.2 (src): mutt-1.10.1-150000.3.26.1
SUSE Manager Server 4.2 (src): mutt-1.10.1-150000.3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 OBSbugzilla Bot 2023-09-29 10:35:22 UTC 
This is an autogenerated message for OBS integration:
This bug (1215191) was mentioned in
https://build.opensuse.org/request/show/1114300 Factory / mutt
Comment 8 Dr. Werner Fink 2023-09-29 10:52:48 UTC 
Fixed