CVE-2012-1103: Input Validation
First published: Tue Sep 25 2012(Updated: )
emacs/notmuch-mua.el in Notmuch before 0.11.1, when using the Emacs interface, allows user-assisted remote attackers to read arbitrary files via crafted MML tags, which are not properly quoted in an email reply cna cause the files to be attached to the message.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Notmuch | <=0.11 | |
| Notmuch | =0.1 | |
| Notmuch | =0.1.1 | |
| Notmuch | =0.2 | |
| Notmuch | =0.3 | |
| Notmuch | =0.3.1 | |
| Notmuch | =0.4 | |
| Notmuch | =0.5 | |
| Notmuch | =0.6 | |
| Notmuch | =0.6-254 | |
| Notmuch | =0.6-rc1 | |
| Notmuch | =0.6.1 | |
| Notmuch | =0.7 | |
| Notmuch | =0.7-rc1 | |
| Notmuch | =0.8 | |
| Notmuch | =0.8-rc0 | |
| Notmuch | =0.8-rc1 | |
| Notmuch | =0.9 | |
| Notmuch | =0.9-rc1 | |
| Notmuch | =0.9-rc2 | |
| Notmuch | =0.10 | |
| Notmuch | =0.10-rc1 | |
| Notmuch | =0.10-rc2 | |
| Notmuch | =0.10.1 | |
| Notmuch | =0.10.2 | |
| Notmuch | =0.11-rc1 | |
| Notmuch | =0.11-rc2 | |
| Notmuch | =0.11-rc2-1 | |
| Notmuch | =0.11-rc3 | |
| Notmuch | =0.11-rc3-1 | |
| GNU Emacs |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.notmuchmail.org/git/notmuch/blobdiff/3f2050ac221a4c940c12442f156f12fff11600c6..ae438ccd8c77831158c7c30f19710d798ee4a6b4:/emacs/notmuch-mua.el
- http://notmuchmail.org/news/release-0.11.1/
- http://secunia.com/advisories/48139
- http://www.debian.org/security/2012/dsa-2416
- http://www.openwall.com/lists/oss-security/2012/03/04/5
- http://www.openwall.com/lists/oss-security/2012/03/05/6
- http://www.securityfocus.com/bid/52155
Frequently Asked Questions
What is the severity of CVE-2012-1103?
CVE-2012-1103 has a moderate severity as it allows user-assisted remote attackers to read arbitrary files.
How do I fix CVE-2012-1103?
To fix CVE-2012-1103, upgrade Notmuch to version 0.11.1 or later.
Which versions of Notmuch are affected by CVE-2012-1103?
CVE-2012-1103 affects Notmuch versions prior to 0.11.1.
How does CVE-2012-1103 work?
CVE-2012-1103 exploits crafted MML tags that can cause arbitrary files to be attached in email replies.
Should I be concerned about CVE-2012-1103 if I use Notmuch?
Yes, if you use an affected version of Notmuch, you should upgrade to avoid potential data exposure.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/notmuchmail
- canonical/notmuch
- version/notmuch/0.11
- version/notmuch/0.1
- version/notmuch/0.1.1
- version/notmuch/0.2
- version/notmuch/0.3
- version/notmuch/0.3.1
- version/notmuch/0.4
- version/notmuch/0.5
- version/notmuch/0.6
- version/notmuch/0.6-254
- version/notmuch/0.6-rc1
- version/notmuch/0.6.1
- version/notmuch/0.7
- version/notmuch/0.7-rc1
- version/notmuch/0.8
- version/notmuch/0.8-rc0
- version/notmuch/0.8-rc1
- version/notmuch/0.9
- version/notmuch/0.9-rc1
- version/notmuch/0.9-rc2
- version/notmuch/0.10
- version/notmuch/0.10-rc1
- version/notmuch/0.10-rc2
- version/notmuch/0.10.1
- version/notmuch/0.10.2
- version/notmuch/0.11-rc1
- version/notmuch/0.11-rc2
- version/notmuch/0.11-rc2-1
- version/notmuch/0.11-rc3
- version/notmuch/0.11-rc3-1
- vendor/gnu
- canonical/gnu emacs