[neomutt-devel] spear phishing attack on me

Stuart Henderson stu at spacehopper.org
Thu Apr 10 18:48:50 CEST 2025 

On 2025/04/10 09:19, Jon Fineman wrote:
> This works on Alpine. Using the officially built package it fails on
> OpenBSD. So it is not the way I built it, but an OpenBSD issue.

You are triggering a backwards/overlapping memcpy, which results in
undefined behaviour.

OpenBSD's undefined behaviour for this is to SIGABRT reliably.


> On Wed, Apr 09, 2025 at 07:31:20AM -0400, Jon Fineman wrote:
> > When I open this I consistently get a core dump, right after verify signature.
> > 
> > I am using OpenBSD current.
> > 
> > Commit: f695281a6962a2f57d5186c27fc22adec6099139
> > 
> > ryzen(~/src/neomutt)$: ./neomutt -v
> > NeoMutt 20250404
> > Copyright (C) 2015-2025 Richard Russon and friends
> > NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'.
> > NeoMutt is free software, and you are welcome to redistribute it
> > under certain conditions; type 'neomutt -vv' for details.
> > 
> > System: OpenBSD 7.7 (amd64)
> > ncurses: ncurses 6.4.20230826 (compiled with 6.4.20230826)
> > libiconv: 1.17
> > libidn2: 2.3.0 (compiled with 2.3.0)
> > GPGME: 1.24.2
> > OpenSSL: LibreSSL 4.1.0
> > libnotmuch: 5.6.0
> > PCRE2: 10.44 2024-06-07
> > storage: tdb
> > 
> > Configure options: --autocrypt --with-lock=flock --fmemopen --gpgme --notmuch --ssl --sasl --sqlite --tdb --debug --disable-doc --pcre2
> > 
> > Compilation CFLAGS: -std=c11 -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -D_XOPEN_SOURCE_EXTENDED -I/usr/local/include -DNCURSES_WIDECHAR -O2
> > 
> > Compile options:
> >  +autocrypt -fcntl +flock +fmemopen +futimens +getaddrinfo -gnutls +gpgme
> >  -gsasl -gss +hcache -homespool +idn -inotify -locales_hack -lua +nls +notmuch
> >  +openssl +pcre2 +pgp +sasl +smime +sqlite +truecolor
> > 
> > MAILPATH="/var/mail"
> > PKGDATADIR="/usr/local/share/neomutt"
> > SENDMAIL="/usr/sbin/sendmail"
> > SYSCONFDIR="/usr/local/etc"
> > 
> > 
> > 
> > egdb bin/x_neomutt x_neomutt.core
> > GNU gdb (GDB) 15.2
> > Copyright (C) 2024 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> > Type "show copying" and "show warranty" for details.
> > This GDB was configured as "x86_64-unknown-openbsd7.7".
> > Type "show configuration" for configuration details.
> > For bug reporting instructions, please see:
> > <https://www.gnu.org/software/gdb/bugs/>.
> > Find the GDB manual and other documentation resources online at:
> >    <http://www.gnu.org/software/gdb/documentation/>.
> > 
> > For help, type "help".
> > Type "apropos word" to search for commands related to "word"...
> > Reading symbols from bin/x_neomutt...
> > [New process 595952]
> > Core was generated by `x_neomutt'.
> > Program terminated with signal SIGABRT, Aborted.
> > #0  thrkill () at /tmp/-:2
> > 
> > warning: 2      /tmp/-: No such file or directory
> > (gdb) bt
> > #0  thrkill () at /tmp/-:2
> > #1  0x66185e33c8dc45ec in ?? ()
> > #2  0x000003e435de5f1b in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
> > #3  0x000003e435da25d7 in memcpy (dst0=<optimized out>, src0=<optimized out>, length=<optimized out>)
> >    at /usr/src/lib/libc/string/memcpy.c:74
> > #4  0x000003e20cb5c1be in mutt_ch_fgetconv (fc=0x3e4f33fb000) at mutt/charset.c:1013
> > #5  0x000003e20cad8189 in pgp_gpgme_application_handler (b=0x3e42d52d9c0, state=0x728fe9e961f0)
> >    at ncrypt/crypt_gpgme.c:2714
> > #6  0x000003e20cad2f02 in crypt_pgp_application_handler (b_email=0x3e42d52d9c0, state=0x728fe9e961f0)
> >    at ncrypt/cryptglue.c:239
> > #7  0x000003e20c9dadd8 in run_decode_and_handler (b=0x3e42d52d9c0, state=0x728fe9e961f0,
> >    handler=0x3e20cad2ea0 <crypt_pgp_application_handler>, plaintext=false) at handler.c:1445
> > #8  0x000003e20c9d7905 in mutt_body_handler (b=0x3e42d52d9c0, state=0x728fe9e961f0) at handler.c:1774
> > #9  0x000003e20c9da732 in multipart_handler (b_email=0x3e42d50a900, state=0x728fe9e961f0) at handler.c:1291
> > #10 0x000003e20c9dadd8 in run_decode_and_handler (b=0x3e42d50a900, state=0x728fe9e961f0,
> >    handler=0x3e20c9da420 <multipart_handler>, plaintext=false) at handler.c:1445
> > #11 0x000003e20c9d7905 in mutt_body_handler (b=0x3e42d50a900, state=0x728fe9e961f0) at handler.c:1774
> > #12 0x000003e20c9da732 in multipart_handler (b_email=0x3e4de0cc300, state=0x728fe9e961f0) at handler.c:1291
> > #13 0x000003e20c9dadd8 in run_decode_and_handler (b=0x3e4de0cc300, state=0x728fe9e961f0,
> >    handler=0x3e20c9da420 <multipart_handler>, plaintext=false) at handler.c:1445
> > #14 0x000003e20c9d7905 in mutt_body_handler (b=0x3e4de0cc300, state=0x728fe9e961f0) at handler.c:1774
> > #15 0x000003e20c9ce89f in mutt_copy_message_fp (fp_out=0x3e435e186e0 <usual+304>, fp_in=0x3e435e185b0 <usual>,
> >    e=0x3e471659d20, cmflags=76, chflags=262294, wraplen=86) at copy.c:801
> > #16 0x000003e20c9cf2fa in mutt_copy_message (fp_out=0x3e435e186e0 <usual+304>, e=0x3e471659d20, msg=0x3e42d53a4b0,
> >    cmflags=76, chflags=262294, wraplen=86) at copy.c:924
> > #17 0x000003e20ca207f7 in email_to_file (msg=0x3e42d53a4b0, tempfile=0x3e4367508c0, m=0x3e42dbc2800,
> >    e=0x3e471659d20, header=0x0, wrap_len=86, cmflags=0x728fe9e9641a) at pager/message.c:254
> > #18 0x000003e20ca20add in mutt_display_message (win_index=0x3e436712960, shared=0x3e4f341df00)
> >    at pager/message.c:468
> > #19 0x000003e20ca0b4cf in op_display_message (shared=0x3e4f341df00, priv=0x3e42dbb6b40, op=80)
> >    at index/functions.c:651
> > #20 0x000003e20ca0a383 in index_function_dispatcher (win=0x3e436712960, op=80) at index/functions.c:3280
> > #21 0x000003e20ca05758 in dlg_index (dlg=0x3e436718d20, m_init=0x3e42dbd8100) at index/dlg_index.c:1371
> > #22 0x000003e20c9ff210 in main (argc=1, argv=0x728fe9e96c58, envp=0x728fe9e96c68) at main.c:1756
> > (gdb)
> > 
> >

More information about the neomutt-devel mailing list