Hello to the entire mutt community,
as the subject states I found a bug that causes a SIGSEGV in mutt
(stable branch).
I think that all operating systems that do *not* have a long int time_t
are affected.
I tryed to post it via flea(1) but it seems that the server is no more
up (sub...@bugs.guug.de) and I have also tryed to register in the
official http://dev.mutt.org/ trac page but I've got a 403 error in:
http://dev.mutt.org/trac/register
So I'm posting directly to this list.
I will attach the bug report generated by flea(1).
If you need more information please contact me!
Thank you in advance!
L.
Package: mutt
Version: 1.4.2.3i
Severity: grave
-- Please type your report below this line
Hello to the entire mutt community,
maildir_open_new_message() and maildir_commit_message() in mh.c wrongly assume
that time_t is a long int and the user can cause a SIGSEGV of mutt just trying
to send a message.
The needed lines of ~/.muttrc needed to reproduce this bug are:
set mbox_type = Maildir
set record = "~/Mail/SENT"
Using Maildir and setting $record makes impossible to send any email because
mutt will crash just before calling the SMTP client.
Here an example session (to simplify the output I will use the "-x" option but
it happens in the interface too):
$ mutt -x -s "Test" exam...@example.org
To: exam...@example.org
(Termina il messaggio con un . su una linea da solo)
aoeu!
.
Memory fault (core dumped)
$
Here the relevant part of the core dump:
(gdb) bt
#0 0xbb97824e in __vfprintf_unlocked () from /usr/lib/libc.so.12
#1 0xbb8dc41b in snprintf () from /usr/lib/libc.so.12
#2 0x0807ae3b in maildir_open_new_message (msg=0xbb717720, dest=0xbfbfc97c,
hdr=0xbb719200) at mh.c:832
#3 0x0807e830 in mx_open_new_message (dest=0xbfbfc97c, hdr=0xbb719200,
flags=1) at mx.c:1286
#4 0x0809cade in mutt_write_fcc (path=0xbfbfe24c "/home/leot/Mail/SENT",
hdr=0xbb719200, msgid=0x0, post=0, fcc=0x0) at sendlib.c:2351
#5 0x0809724b in ci_send_message (flags=64, msg=0xbb719200, tempfile=0x0,
ctx=0x0, cur=0x0) at send.c:1532
#6 0x0807489b in main (argc=5, argv=0xbfbfeb8c) at main.c:780
And in particular:
(gdb) bt full
[...]
#2 0x0807ae3b in maildir_open_new_message (msg=0xbb717720, dest=0xbfbfc97c,
hdr=0xbb719200)
at mh.c:832
fd = <optimized out>
path = "/home/leot/Mail/SENT/tmp/cur.1383401751.0_26736", '\000'
<repeats 105 times>,
"�B���B����\232���\232�\277\277�\n��\300.\r\b\000\025\000\000\000\000\000\000\003\000\000\000\003�\000\000\016\000\000\000\a\000\000\000\000@\020\362\020\000\000\000\300.\r\b��\232�\020\000\000\000\200.\r\b
wq �024�� wq�\000\000\000\000\020\000\000\000\000\000\000\000k\016\334\023"
suffix = ":2,S\000\304\277\277\204\031\n\b\001\000\000"
subdir = "cur", '\000' <repeats 12 times>
[...]
And:
(gdb) list mh.c:832
827 else
828 strfcpy (subdir, "new", sizeof (subdir));
829
830 FOREVER
831 {
832 snprintf (path, _POSIX_PATH_MAX, "%s/tmp/%s.%ld.%d_%d.%s%s",
833 dest->path, subdir, time (NULL), getpid (), Counter++,
834 NONULL (Hostname), suffix);
835
836 dprint (2, (debugfile, "maildir_open_new_message (): Trying %s.\n",
>From these lines you can see that time_t is treated as a long int *without*
casting. In various operating systems (e.g. NetBSD) time_t is not a long int
and that's why mutt crashes.
A possible way to fix this problem is to cast time_t to intmax_t.
The attached patch solve the entire issue. I am not an expert C programmer so
please review it and apply if it is ok.
If you need more information regarding this problem feel free to contact me.
Thank you very much in advance!
--- mh.c.orig 2007-05-23 03:17:53.000000000 +0200
+++ mh.c 2013-11-02 14:23:05.000000000 +0100
@@ -35,6 +35,7 @@
#include <unistd.h>
#include <fcntl.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
@@ -829,8 +830,8 @@
FOREVER
{
- snprintf (path, _POSIX_PATH_MAX, "%s/tmp/%s.%ld.%d_%d.%s%s",
- dest->path, subdir, time (NULL), getpid (), Counter++,
+ snprintf (path, _POSIX_PATH_MAX, "%s/tmp/%s.%jd.%d_%d.%s%s",
+ dest->path, subdir, (intmax_t)time (NULL), getpid (), Counter++,
NONULL (Hostname), suffix);
dprint (2, (debugfile, "maildir_open_new_message (): Trying %s.\n",
@@ -910,8 +911,8 @@
/* construct a new file name. */
FOREVER
{
- snprintf (path, _POSIX_PATH_MAX, "%s/%ld.%d_%d.%s%s", subdir,
- time (NULL), getpid(), Counter++, NONULL (Hostname), suffix);
+ snprintf (path, _POSIX_PATH_MAX, "%s/%jd.%d_%d.%s%s", subdir,
+ (intmax_t)time (NULL), getpid(), Counter++, NONULL (Hostname),
suffix);
snprintf (full, _POSIX_PATH_MAX, "%s/%s", ctx->path, path);
dprint (2, (debugfile, "maildir_commit_message (): renaming %s to %s.\n",
-- Build environment information
(Note: This is the build environment installed on the system
muttbug is run on. Information may or may not match the environment
used to build mutt.)
- gcc version information
gcc
Using built-in specs.
COLLECT_GCC=gcc
Target: i486--netbsdelf
Configured with: /usr/src2/tools/gcc/../../external/gpl3/gcc/dist/configure
--target=i486--netbsdelf --enable-long-long --enable-threads
--with-bugurl=http://www.NetBSD.org/Misc/send-pr.html --with-pkgversion='NetBSD
nb2 20111202' --enable-__cxa_atexit --with-arch=i486 --with-tune=nocona
--with-mpc=/var/obj/mknative/i386/usr/src2/destdir.i386/usr
--with-mpfr=/var/obj/mknative/i386/usr/src2/destdir.i386/usr
--with-gmp=/var/obj/mknative/i386/usr/src2/destdir.i386/usr --enable-tls
--disable-multilib --disable-symvers --disable-libstdcxx-pch
--build=x86_64-unknown-netbsd5.99.56 --host=i486--netbsdelf
Thread model: posix
gcc version 4.5.3 (NetBSD nb2 20110806)
- CFLAGS
-Wall -pedantic -ggdb -pipe -O2 -march=pentium-m -I/usr/include
-- Mutt Version Information
Mutt 1.4.2.3i (2007-05-26)
Copyright (C) 1996-2002 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.
System: NetBSD 6.1.2 (i386)
Opzioni di compilazione:
-DOMAIN
+DEBUG
-HOMESPOOL -USE_SETGID +USE_DOTLOCK +DL_STANDALONE
+USE_FCNTL -USE_FLOCK
+USE_POP +USE_IMAP -USE_GSS +USE_SSL -USE_SASL
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR -HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM
+HAVE_PGP -BUFFY_SIZE -EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET
+HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS +HAVE_GETSID +HAVE_GETADDRINFO
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/pkg/share/mutt"
SYSCONFDIR="/usr/pkg/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
Per contattare gli sviluppatori scrivi a <mutt-dev@mutt.org>.
Per segnalare un bug usa il programma flea(1).
--- Begin /home/leot/.muttrc
[...]
set mbox_type = Maildir
[...]
set record = "~/Mail/SENT"
[...]
--- End /home/leot/.muttrc
--- Begin /usr/pkg/etc/Muttrc
ignore "from " received content- mime-version status x-status message-id
ignore sender references return-path lines
macro index \eb '/~b ' 'search in message bodies'
macro index \cb |urlview\n 'call urlview to extract URLs out of a message'
macro pager \cb |urlview\n 'call urlview to extract URLs out of a message'
macro generic <f1> "!less /usr/pkg/share/doc/mutt/manual.txt\n" "Show Mutt
documentation"
macro index <f1> "!less /usr/pkg/share/doc/mutt/manual.txt\n" "Show Mutt
documentation"
macro pager <f1> "!less /usr/pkg/share/doc/mutt/manual.txt\n" "Show Mutt
documentation"
--- End /usr/pkg/etc/Muttrc
