Bug 1179113 - VUL-1: mutt,neomutt: message with a million tiny parts can freeze MUA for several minutes
VUL-1: mutt,neomutt: message with a million tiny parts can freeze MUA for sev...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: unspecified
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-23 18:41 UTC by Andreas Stieger
Modified: 2021-01-27 17:09 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
mail with 1M small parts (74.30 KB, application/x-xz)
2020-11-24 21:52 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2020-11-23 18:41:54 UTC
A message with a million tiny parts can freeze mutt/neomutt for several minutes.

For mutt, fixed in 1.14.2:
https://gitlab.com/muttmua/mutt/commit/c72f740aa7c80c0a79775628e62daa2a43357cd5

> Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release,
> fixing a few prompt buffer-size issues and adding a potential DoS mitigation. 

For neomutt fixed in 20200814:
https://github.com/neomutt/neomutt/releases/tag/20200814
> Add mitigation against DoS from thousands of parts
https://github.com/neomutt/neomutt/commit/979df15cc14e61e739b1c06bd892c9938eba6be3
Comment 1 Dr. Werner Fink 2020-11-24 08:42:38 UTC
(In reply to Andreas Stieger from comment #0)
> A message with a million tiny parts can freeze mutt/neomutt for several
> minutes.
> 
> For mutt, fixed in 1.14.2:
> https://gitlab.com/muttmua/mutt/commit/
> c72f740aa7c80c0a79775628e62daa2a43357cd5
> 
> > Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release,
> > fixing a few prompt buffer-size issues and adding a potential DoS mitigation. 
> 
> For neomutt fixed in 20200814:
> https://github.com/neomutt/neomutt/releases/tag/20200814
> > Add mitigation against DoS from thousands of parts
> https://github.com/neomutt/neomutt/commit/
> 979df15cc14e61e739b1c06bd892c9938eba6be3

On SLE-15 (and Leap 15.X) we have mutt 1.10.1 and this one seems not to have have any code with

 if (recurse_level >= 100)

do you have an example to trigger this with this mutt verion and below?  The patch/commit does not fit as the code is missed in mutt 1.10.1
Comment 2 Andreas Stieger 2020-11-24 21:52:33 UTC
Created attachment 843848 [details]
mail with 1M small parts

(In reply to Dr. Werner Fink from comment #1)
> do you have an example to trigger this with this mutt verion and below?  The
> patch/commit does not fit as the code is missed in mutt 1.10.1

Attached mail with 1M parts. Triggers on 2.0.2 with the upstream patch reverted. Without that it stops after 5k.
Comment 3 Dr. Werner Fink 2020-11-25 07:00:54 UTC
(In reply to Andreas Stieger from comment #2)
> Created attachment 843848 [details]
> mail with 1M small parts
> 
> (In reply to Dr. Werner Fink from comment #1)
> > do you have an example to trigger this with this mutt verion and below?  The
> > patch/commit does not fit as the code is missed in mutt 1.10.1
> 
> Attached mail with 1M parts. Triggers on 2.0.2 with the upstream patch
> reverted. Without that it stops after 5k.

I'll test this with mutt 1.10.1 from SLE-15 ... nevertheless where are eml files used?
Comment 4 Andreas Stieger 2020-11-25 07:23:12 UTC
This relates to the parsing of of the MIME format, regardless of protocol/storage.
Comment 5 Dr. Werner Fink 2020-11-25 07:41:08 UTC
Hmmm ... how do I use this

 boo#1179113> mutt -f cur/test.eml 
 cur/test.eml is not a mailbox.

without using `formail -b` to generate a mbox?
Comment 6 Dr. Werner Fink 2020-11-25 07:43:20 UTC
Just used

  formail -b < /abuild/oscbuild/SLE-15/home/abuild/rpmbuild/BUILD/boo#1179113/cur/test.eml > /abuild/oscbuild/SLE-15/tmp/test.mbox

and indeed mutt shows a high load and hangs on open this mbox ...

nevertheless the fix from 2.0.2 does not fit into 1.10.1
Comment 7 Dr. Werner Fink 2020-11-25 08:00:50 UTC
I've backported some of the missed extensions of 2.0.2 in comparision to 1.10.1 ... now testing build
Comment 8 Dr. Werner Fink 2020-11-25 08:27:04 UTC
The new patch does work and SLE-15, SLE-12, as well as SLE-10 are submitted
Comment 10 OBSbugzilla Bot 2020-11-25 20:40:26 UTC
This is an autogenerated message for OBS integration:
This bug (1179113) was mentioned in
https://build.opensuse.org/request/show/850817 15.1+15.2 / neomutt
Comment 11 Swamp Workflow Management 2020-11-30 20:21:58 UTC
SUSE-SU-2020:3568-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1179035,1179113
CVE References: CVE-2020-28896
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    mutt-1.10.1-3.11.1
SUSE Linux Enterprise Server 15-LTSS (src):    mutt-1.10.1-3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    mutt-1.10.1-3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    mutt-1.10.1-3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mutt-1.10.1-3.11.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    mutt-1.10.1-3.11.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    mutt-1.10.1-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-11-30 20:25:28 UTC
SUSE-SU-2020:14551-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1179035,1179113
CVE References: CVE-2020-28896
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    mutt-1.5.17-42.56.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    mutt-1.5.17-42.56.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mutt-1.5.17-42.56.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    mutt-1.5.17-42.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-11-30 23:16:12 UTC
openSUSE-SU-2020:2127-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1172906,1172935,1173197,1179035,1179113
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    neomutt-20201120-lp152.2.3.1
openSUSE Leap 15.1 (src):    neomutt-20201120-lp151.2.3.1
Comment 14 Swamp Workflow Management 2020-12-01 05:16:51 UTC
openSUSE-SU-2020:2128-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1179035,1179113
CVE References: CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    mutt-1.10.1-lp151.2.6.1
Comment 15 Swamp Workflow Management 2020-12-01 20:21:43 UTC
openSUSE-SU-2020:2141-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1179035,1179113
CVE References: CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    mutt-1.10.1-lp152.3.6.1
Comment 17 Swamp Workflow Management 2020-12-04 14:15:50 UTC
openSUSE-SU-2020:2157-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1172906,1172935,1173197,1179035,1179113
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    neomutt-20201120-bp151.3.3.1
Comment 18 Swamp Workflow Management 2020-12-04 14:20:08 UTC
openSUSE-SU-2020:2158-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1172906,1172935,1173197,1179035,1179113
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    neomutt-20201120-bp152.2.3.1
Comment 19 Swamp Workflow Management 2020-12-07 14:22:40 UTC
SUSE-SU-2020:3632-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1179035,1179113,1179461
CVE References: CVE-2020-28896
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    mutt-1.10.1-55.18.1
SUSE OpenStack Cloud Crowbar 8 (src):    mutt-1.10.1-55.18.1
SUSE OpenStack Cloud 9 (src):    mutt-1.10.1-55.18.1
SUSE OpenStack Cloud 8 (src):    mutt-1.10.1-55.18.1
SUSE OpenStack Cloud 7 (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server 12-SP5 (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mutt-1.10.1-55.18.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mutt-1.10.1-55.18.1
SUSE Enterprise Storage 5 (src):    mutt-1.10.1-55.18.1
HPE Helion Openstack 8 (src):    mutt-1.10.1-55.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Alexandros Toptsoglou 2021-01-27 17:09:49 UTC
DONE