Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Jan 2002 08:43:20 -0600
From:      "Jacques A. Vidrine" <n@nectar.cc>
To:        freebsd-security@FreeBSD.ORG
Cc:        "Philip J. Koenig" <pjklist@ekahuna.com>, "Aleksandar Simic'" <alex@frustum.clara.co.uk>, Tim Zingelman <zingelman@fnal.gov>
Subject:   Re: Security advisory SA-02:04 typo?
Message-ID:  <20020105144320.GA18767@madman.nectar.cc>
In-Reply-To: <20020105060426.A9217@frustum.clara.co.uk> <3C360220.17452.2C76D79@localhost> <3C35F700.20238.29BF6BB@localhost>
References:  <3C35F700.20238.29BF6BB@localhost> <20020105060426.A9217@frustum.clara.co.uk> <3C35F700.20238.29BF6BB@localhost> <3C360220.17452.2C76D79@localhost> <3C35F700.20238.29BF6BB@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 04, 2002 at 06:40:00PM -0800, Philip J. Koenig wrote:
> > The mutt ports, versions prior to mutt-1.2.25_1 and
> > mutt-devel-1.3.24_2, contain a buffer overflow in the handling of
> > email addresses in headers.
> Shall I assume the "1.2.25_1" string above is a typo?  Is it really 
> the versions prior to 1.2.5_1?  Because I would think 1.2.2x seems to 
> be pretty old at this point.

Yes, it is a typo.  It should have been ``1.2.5_1''.  A revised
advisory will be released later today.  The package URLs contained the
correct mutt versions.
 
On Fri, Jan 04, 2002 at 07:27:28PM -0800, Philip J. Koenig wrote:
> OK, maybe I'm misunderstanding the version numbers here.
> 
> The version of mutt on my Linux box is 1.2.5i.  

It's vulnerable.

> The version on one of 
> my FreeBSD 4 Stable boxes is 1.2.4i, on another just installed from 
> the mutt port on the 4.4-RELEASE CD, 1.2.5i, and the mutt port just 
> cvsup'd 4 days ago is 1.2.5i.  

These are all vulnerable.

> So I assumed 1.2.5 was relatively 
> current.

It is ``relatively current''.  However, 1.2.5i is vulnerable.  The
FreeBSD port is 1.2.5_1 at the moment, which is just 1.2.5i + a
security fix.  Note the underscore... that is a FreeBSD ports-specific
indicator, and represents the PORTREVISION.  This is discussed a bit
at
<URL:http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/x387.html>.
Maybe someone will post a better pointer.

> I have gotten used to version numbers that increment on a column-by-
> column basis, not on a (I don't know the terminology here) integer-
> between-the-dots basis. (I realize it often does this in the 
> *nix/open-source world.. I just forget sometimes)

I think your preconception of version numbers is not correct in most
cases.  Versions are sorted numerically, not lexigraphically.
 
> So if 1.2.25 is actually 11 iterations newer than 1.2.4, 

It would be, if it existed :-)

> then I can 
> see where I was confusing things.  Looks like the FreeBSD port 
> version of mutt just took a (borrowing a term from China) "great leap 
> forward" then.

On Sat, Jan 05, 2002 at 06:04:26AM +0000, Aleksandar Simic' wrote:
> In the advisory the following URLs are listed as fixed packages:
[snip ... ftp.freebsd.org now has mutt-1.2.5.tgz and
 mutt-devel-1.3.24_1.tgz as the latest packages]

This is unfortunate.  The updated packages were available yesterday on
ftp.FreeBSD.org.  I don't know what might have happened to them.
Normally we insert this text in an advisory if the packages aren't yet
available:

``NOTE: It may be several days before updated packages are available. Be
  sure to check the file creation date on the package, because the
  version number of the software has not changed.''

The revised advisory will contain this text if the packages have not
reappeared.

Actually, mutt-devel-1.3.24_2 will likely never now reappear, because
that port has been updated since this advisory was published.

> So is mutt-1.2.5_1.tgz the same as mutt-1.2.5.tgz ?
>
> And is mutt-devel-1.3.24_2.tgz the same as mutt-devel-1.3.24_1.tgz ?

Emphatically --- NO and NO.  Clearly they are not.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020105144320.GA18767>