Bugzilla – Bug 1179113
VUL-1: mutt,neomutt: message with a million tiny parts can freeze MUA for several minutes
Last modified: 2021-01-27 17:09:49 UTC
A message with a million tiny parts can freeze mutt/neomutt for several minutes. For mutt, fixed in 1.14.2: https://gitlab.com/muttmua/mutt/commit/c72f740aa7c80c0a79775628e62daa2a43357cd5 > Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release, > fixing a few prompt buffer-size issues and adding a potential DoS mitigation. For neomutt fixed in 20200814: https://github.com/neomutt/neomutt/releases/tag/20200814 > Add mitigation against DoS from thousands of parts https://github.com/neomutt/neomutt/commit/979df15cc14e61e739b1c06bd892c9938eba6be3
(In reply to Andreas Stieger from comment #0) > A message with a million tiny parts can freeze mutt/neomutt for several > minutes. > > For mutt, fixed in 1.14.2: > https://gitlab.com/muttmua/mutt/commit/ > c72f740aa7c80c0a79775628e62daa2a43357cd5 > > > Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release, > > fixing a few prompt buffer-size issues and adding a potential DoS mitigation. > > For neomutt fixed in 20200814: > https://github.com/neomutt/neomutt/releases/tag/20200814 > > Add mitigation against DoS from thousands of parts > https://github.com/neomutt/neomutt/commit/ > 979df15cc14e61e739b1c06bd892c9938eba6be3 On SLE-15 (and Leap 15.X) we have mutt 1.10.1 and this one seems not to have have any code with if (recurse_level >= 100) do you have an example to trigger this with this mutt verion and below? The patch/commit does not fit as the code is missed in mutt 1.10.1
Created attachment 843848 [details] mail with 1M small parts (In reply to Dr. Werner Fink from comment #1) > do you have an example to trigger this with this mutt verion and below? The > patch/commit does not fit as the code is missed in mutt 1.10.1 Attached mail with 1M parts. Triggers on 2.0.2 with the upstream patch reverted. Without that it stops after 5k.
(In reply to Andreas Stieger from comment #2) > Created attachment 843848 [details] > mail with 1M small parts > > (In reply to Dr. Werner Fink from comment #1) > > do you have an example to trigger this with this mutt verion and below? The > > patch/commit does not fit as the code is missed in mutt 1.10.1 > > Attached mail with 1M parts. Triggers on 2.0.2 with the upstream patch > reverted. Without that it stops after 5k. I'll test this with mutt 1.10.1 from SLE-15 ... nevertheless where are eml files used?
This relates to the parsing of of the MIME format, regardless of protocol/storage.
Hmmm ... how do I use this boo#1179113> mutt -f cur/test.eml cur/test.eml is not a mailbox. without using `formail -b` to generate a mbox?
Just used formail -b < /abuild/oscbuild/SLE-15/home/abuild/rpmbuild/BUILD/boo#1179113/cur/test.eml > /abuild/oscbuild/SLE-15/tmp/test.mbox and indeed mutt shows a high load and hangs on open this mbox ... nevertheless the fix from 2.0.2 does not fit into 1.10.1
I've backported some of the missed extensions of 2.0.2 in comparision to 1.10.1 ... now testing build
The new patch does work and SLE-15, SLE-12, as well as SLE-10 are submitted
This is an autogenerated message for OBS integration: This bug (1179113) was mentioned in https://build.opensuse.org/request/show/850817 15.1+15.2 / neomutt
SUSE-SU-2020:3568-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1179035,1179113 CVE References: CVE-2020-28896 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): mutt-1.10.1-3.11.1 SUSE Linux Enterprise Server 15-LTSS (src): mutt-1.10.1-3.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): mutt-1.10.1-3.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): mutt-1.10.1-3.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): mutt-1.10.1-3.11.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): mutt-1.10.1-3.11.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): mutt-1.10.1-3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14551-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1179035,1179113 CVE References: CVE-2020-28896 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): mutt-1.5.17-42.56.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): mutt-1.5.17-42.56.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): mutt-1.5.17-42.56.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): mutt-1.5.17-42.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2127-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1172906,1172935,1173197,1179035,1179113 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896 JIRA References: Sources used: openSUSE Leap 15.2 (src): neomutt-20201120-lp152.2.3.1 openSUSE Leap 15.1 (src): neomutt-20201120-lp151.2.3.1
openSUSE-SU-2020:2128-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1179035,1179113 CVE References: CVE-2020-28896 JIRA References: Sources used: openSUSE Leap 15.1 (src): mutt-1.10.1-lp151.2.6.1
openSUSE-SU-2020:2141-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1179035,1179113 CVE References: CVE-2020-28896 JIRA References: Sources used: openSUSE Leap 15.2 (src): mutt-1.10.1-lp152.3.6.1
openSUSE-SU-2020:2157-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1172906,1172935,1173197,1179035,1179113 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): neomutt-20201120-bp151.3.3.1
openSUSE-SU-2020:2158-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1172906,1172935,1173197,1179035,1179113 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): neomutt-20201120-bp152.2.3.1
SUSE-SU-2020:3632-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1179035,1179113,1179461 CVE References: CVE-2020-28896 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): mutt-1.10.1-55.18.1 SUSE OpenStack Cloud Crowbar 8 (src): mutt-1.10.1-55.18.1 SUSE OpenStack Cloud 9 (src): mutt-1.10.1-55.18.1 SUSE OpenStack Cloud 8 (src): mutt-1.10.1-55.18.1 SUSE OpenStack Cloud 7 (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server 12-SP5 (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): mutt-1.10.1-55.18.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): mutt-1.10.1-55.18.1 SUSE Enterprise Storage 5 (src): mutt-1.10.1-55.18.1 HPE Helion Openstack 8 (src): mutt-1.10.1-55.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
DONE