Date: Fri, 4 Jan 2002 19:27:28 -0800 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: Tim Zingelman <zingelman@fnal.gov> Cc: security@FreeBSD.ORG Subject: Re: Security advisory SA-02:04 typo? Message-ID: <3C360220.17452.2C76D79@localhost> In-Reply-To: <Pine.GSO.4.43.0201042056550.5851-100000@nova.fnal.gov> References: <3C35F700.20238.29BF6BB@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4 Jan 2002, at 21:07, Tim Zingelman boldly uttered: > On Fri, 4 Jan 2002, Philip J. Koenig wrote: > > > >=== FreeBSD-SA-02:04 Security Advisory FreeBSD, Inc. > > > > > > Topic: mutt ports contain remotely exploitable buffer overflow > > > > > > Category: ports > > > Module: mutt > > > Announced: 2002-01-04 > > > Credits: Joost Pol <joost@contempt.nl> > > > Affects: Ports collection prior to the correction date > > > Corrected: 2002-01-02 13:52:03 UTC (ports/mail/mutt: 1.2.x) > > > 2002-01-02 03:39:01 UTC (ports/mail/mutt-devel: 1.3.x) > > > FreeBSD only: NO > > > > > > I. Background > > > > > > Mutt is a small but very powerful text-based mail client for Unix > > > operating systems. > > > > > > II. Problem Description > > > > > > The mutt ports, versions prior to mutt-1.2.25_1 and > > > mutt-devel-1.3.24_2, contain a buffer overflow in the handling of > > > email addresses in headers. > > > > > > Shall I assume the "1.2.25_1" string above is a typo? Is it really > > the versions prior to 1.2.5_1? Because I would think 1.2.2x seems to > > be pretty old at this point. > > This is not a typo. The FreeBSD PORT version is "1.2.25_1" indicating > that the 1.2.25 port has been updated once (to repair the security issue). > This port patches the 1.2.25 source tarball rather than using the 1.2.25.1 > source tarball. > > The latest stable version of mutt available from www.mutt.org is 1.2.25.1, > and it also has the security fix. > > - Tim OK, maybe I'm misunderstanding the version numbers here. The version of mutt on my Linux box is 1.2.5i. The version on one of my FreeBSD 4 Stable boxes is 1.2.4i, on another just installed from the mutt port on the 4.4-RELEASE CD, 1.2.5i, and the mutt port just cvsup'd 4 days ago is 1.2.5i. So I assumed 1.2.5 was relatively current. I have gotten used to version numbers that increment on a column-by- column basis, not on a (I don't know the terminology here) integer- between-the-dots basis. (I realize it often does this in the *nix/open-source world.. I just forget sometimes) So if 1.2.25 is actually 11 iterations newer than 1.2.4, then I can see where I was confusing things. Looks like the FreeBSD port version of mutt just took a (borrowing a term from China) "great leap forward" then. Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C360220.17452.2C76D79>