Please find below a number of confirmed security findings in the mutt client. None of these are significant but should probably be addressed.
**Version**: Mutt 2.3.1 ### 1. NULL Dereference in Signature Verification (MEDIUM) - **Location**: `crypt-gpgme.c:1428` (`show_sig_summary`) - **Trigger**: Attacker sends signed email where key lookup fails with NO_PUBKEY status but summary includes KEY_EXPIRED flag - **Impact**: Crash on `key->subkeys->expires` when `key` is NULL - **Auto-triggered**: Yes (under default `crypt_verify_sig=yes`) - **Fix**: Add `key && key->subkeys` check before dereference ### 2. Infinite Loop on GPGME Read Error (MEDIUM) - **Location**: `crypt-gpgme.c:745` (`data_object_to_stream`) - **Trigger**: Malformed encrypted/signed email causes `gpgme_data_read` to return -1 - **Impact**: Hang + OOB stack disclosure (reads past 4096-byte buffer into tempfile) - **Root cause**: `while ((nread = gpgme_data_read(...)))` treats -1 as truthy; inner `for(;nread;nread--)` loops ~2^63 times - **Fix**: Change to `while ((nread = gpgme_data_read(...)) > 0)` ### 3. POP3 Unbounded Memory Growth (MEDIUM) - **Location**: `pop.c:187-197` (`pop_fetch_headers`) - **Trigger**: Malicious POP server returns unlimited UIDL responses - **Impact**: Unbounded `ctx->hdrs` array growth → OOM DoS - **Fix**: Cap UIDL response count ### 4. MIME Boundary Predictability (MEDIUM) - **Location**: `mutt_random.c` + `sendlib.c:550` - **Issue**: LFSR113 PRNG (113-bit state) generates MIME boundaries; 4+ observed boundaries enable state recovery via linear algebra - **Impact**: Cross-client MIME smuggling when user forwards attacker email containing predicted boundary - **Attack**: Monitor user's sent mail → recover PRNG state → predict future boundary → craft body containing it → recipient sees fake MIME structure - **Fix**: Replace LFSR113 with ChaCha20 or direct /dev/urandom for security-critical randomness ### 5. CRAM-MD5 HMAC Weakening (MEDIUM, Conditional) - **Location**: `imap/auth_cram.c:152` - **Trigger**: Password >64 bytes + CRAM-MD5 auth - **Issue**: `strfcpy` treats binary MD5 digest as C string, always sets last byte to 0 - **Impact**: HMAC key reduced from 128→120+8 bits; deterministic auth failure when digest has embedded NUL - **Fix**: Use `memcpy(secret, hash_passwd, MD5_DIGEST_LEN)` ### 6. GSSAPI Buffer Underflow (MEDIUM, Conditional) - **Location**: `imap/auth_gss.c:263-274` - **Trigger**: GSSAPI auth + malicious IMAP server sends wrapped token <8 bytes - **Impact**: OOB read of `*((long*)send_token.value)` without length check - **Fix**: Verify `send_token.length >= 8` before cast ### 7. URL %00 Truncation (LOW-MEDIUM) - **Location**: `url.c:49` (`url_pct_decode`) - **Trigger**: Attacker email with `List-Post: mailto:user%00evil@domain` - **Impact**: Silent truncation at embedded NUL; URL confusion primitive - **Fix**: Reject %00 with error return ### 8. TLS Certificate CN Fallback (LOW-MEDIUM) - **Location**: `mutt_ssl.c:997` - **Issue**: Falls back to CN verification even when SAN dNSName entries exist but don't match - **RFC violation**: RFC 6125 requires rejecting cert when SAN present but no dNSName matches - **Fix**: Skip CN check when SAN extension contains dNSName entries
