Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • mutt mutt
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 76
    • Issues 76
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 9
    • Merge requests 9
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Mutt Project
  • muttmutt
  • Issues
  • #404
Closed
Open
Issue created Apr 05, 2022 by Tavis Ormandy@taviso

SECURITY: mutt_decode_uuencoded() can read past the of the input line

Hello, In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys.

Reproduce with the following mbox, note that these are literal 0x9f bytes. This should show some uninitialized garbage in the message.

From taviso  Thu Mar 31 16:53:55 2022
From: taviso
Subject: mutt_decode_uuencoded test
Content-Disposition: inline
Content-Transfer-Encoding: x-uuencode
Content-Type: text/plain

begin 644 test
<9f>
M2&5L;&\L"@I)9B!Y;W4@87)E(')E861I;F<@=&AI<R!M97-S86=E(&EN(&UU
M='0L('1H92!N97AT(&QI;F4*<VAO=6QD(&-O;G1A:6X@9V%R8F%G92X*"@H*
<9f>
54&QE87-E(')E<&QY+`I4879I<RX*
`
end.
Edited Apr 05, 2022 by Tavis Ormandy
Assignee
Assign to
Time tracking