Bug 49470 (CVE-2004-0078)

Summary: VUL-0: CVE-2004-0078: bufferoverflow in mutt
Product: [Novell Products] SUSE Security Incidents Reporter: Roman Drahtmueller <draht>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0078: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mads Martin Joergensen 2004-02-12 00:33:11 UTC 
* Thomas Roessler <roessler@does-not-exist.org> [Feb 11. 2004 16:05]:
> Mutt-1.4.2 has just been released; this version fixes a buffer
> overflow that can be triggered by incoming messages.  There are
> reports about spam that has actually triggered this problem and
> crashed mutt.
>
> It is recommended that users of mutt versions prior to 1.4.2 upgrade
> to this version, or apply the patch included below.
>
> Users of "unstable" mutt versions after 1.3.28 (including 1.5.*) do
> not need to upgrade, as this problem had been fixed in the unstable
> branch in February 2002; unfortunately, the fix was not backported
> before 1.4 was released.

I've submitted fixed packages for 8.1, 8.2 and 9.0 which carry the affected
version.
Comment 1 Mads Martin Joergensen 2004-02-12 00:33:11 UTC 
<!-- SBZ_reproduce  -->
See description
Comment 2 Mads Martin Joergensen 2004-02-12 00:33:38 UTC 
And also patchinfos are submitted
Comment 3 Roman Drahtmueller 2004-02-12 01:03:48 UTC 
<!-- SBZ_reopen -->Reopened by draht@suse.de at Wed Feb 11 18:03:48 2004, took initial reporter mmj@suse.de to cc
Comment 4 Roman Drahtmueller 2004-02-12 01:03:48 UTC 
That doesn't make this bug fixed. Re-Opening...
Comment 5 Roman Drahtmueller 2004-02-12 01:04:14 UTC 
...and re-assigning.
Comment 6 Thomas Biege 2004-02-12 01:09:51 UTC 
What is wrong with the fixed package, Roman?
Comment 7 Roman Drahtmueller 2004-02-12 01:25:21 UTC 
Oh, the package is fine, but for as long as the packages are not out, we
shouldn't close the bug yet. :-)
Comment 8 Thomas Biege 2004-02-12 18:24:46 UTC 
*oompf* Now I get it....
Comment 9 Thomas Biege 2004-02-12 18:33:41 UTC 
laufzettel submitted
Comment 10 Thomas Biege 2004-02-23 22:28:01 UTC 
packages approved.
Comment 11 Marcus Meissner 2007-11-12 10:45:40 UTC 
CVE-2004-0078
Comment 12 Thomas Biege 2009-10-13 20:14:50 UTC 
CVE-2004-0078: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)