Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: mutt (200303-19)
Date: Mon, 24 Mar 2003 09:59:38
Message-Id: 20030322181931.3F7C6338E5@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200303-19
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : mutt
9 SUMMARY : buffer overflow
10 DATE : 2003-03-22 18:19 UTC
11 EXPLOIT : local
12 VERSIONS AFFECTED : <1.4.1
13 FIXED VERSION : >=1.4.1
14 CVE : CAN-2003-0140
15
16 - - ---------------------------------------------------------------------
17
18 - From advisory:
19
20 "By controlling a malicious IMAP server and providing a specially 
21 crafted folder, an attacker can crash the mail reader and possibly 
22 force execution of arbitrary commands on the vulnerable system with
23 the privileges of the user running Mutt."
24
25 Read the full advisory at:
26 http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10
27
28 SOLUTION
29
30 It is recommended that all Gentoo Linux users who are running
31 net-mail/mutt upgrade to mutt-1.4.1 as follows:
32
33 emerge sync
34 emerge mutt
35 emerge clean
36
37 - - ---------------------------------------------------------------------
38 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
39 - - ---------------------------------------------------------------------
40 -----BEGIN PGP SIGNATURE-----
41 Version: GnuPG v1.2.1 (GNU/Linux)
42
43 iD8DBQE+fKkyfT7nyhUpoZMRAkw6AKCmyIFHKpT4dpk4eafeuVw9M1zFZQCeI48z
44 7dK4rjkZJCsYlIk5Yk5Fd/c=
45 =acwA
46 -----END PGP SIGNATURE-----