Bug#771125: please review mutt-1.5.21-6.2+deb7u3

Thu, 27 Nov 2014 14:33:22 -0800 

And the attachment is now, actually, attached :)

On Thu, Nov 27, 2014 at 10:13:39PM +0000, Antonio Radici wrote:
> Hi,
> this patch fixes the buffer overflow + RCE in the mutt version that is
> currently in stable; I have already got the packages built and ready to be
> uploaded.
> 
> Bug: http://bugs.debian.org/771125
> CVE: CVE-2014-9116
> 
> Debdiff of the *dsc against the current version in stable is attached; let me
> know if you need anything else.
> 
> Cheers
> Antonio



diff -u mutt-1.5.21/debian/changelog mutt-1.5.21/debian/changelog
--- mutt-1.5.21/debian/changelog
+++ mutt-1.5.21/debian/changelog
@@ -1,3 +1,10 @@
+mutt (1.5.21-6.2+deb7u3) wheezy-security; urgency=high
+
+  * Fix buffer overflow caused by an incorrect parsing of whitespace
+    characters; also address CVE-2014-0467 (Closes: 771125)
+
+ -- Antonio Radici <anto...@dyne.org>  Thu, 27 Nov 2014 21:10:23 +0000
+
 mutt (1.5.21-6.2+deb7u2) wheezy-security; urgency=high
 
   * Non-maintainer upload.
diff -u mutt-1.5.21/debian/patches/series mutt-1.5.21/debian/patches/series
--- mutt-1.5.21/debian/patches/series
+++ mutt-1.5.21/debian/patches/series
@@ -54,6 +54,7 @@
 upstream/611410-no-implicit_autoview-for-text-html.patch
 upstream/path_max
 upstream/CVE-2014-0467.patch
+upstream/771125-CVE-2014-9116.patch
 
 misc/579967-fixes-german-translation.patch
 
only in patch2:
unchanged:
--- mutt-1.5.21.orig/debian/patches/upstream/771125-CVE-2014-9116.patch
+++ mutt-1.5.21/debian/patches/upstream/771125-CVE-2014-9116.patch
@@ -0,0 +1,40 @@
+This patches solves the issue raised by CVE-2014-9116 in bug 771125.
+The sendlib patch is incorporated from upstream commit:
+http://dev.mutt.org/trac/changeset/897dcc62e4aa
+
+The lib.c part was written by Antonio Radici <anto...@debian.org> to prevent
+crashes due to this kind of bugs from happening again.
+
+Index: mutt/sendlib.c
+===================================================================
+--- mutt.orig/sendlib.c
++++ mutt/sendlib.c
+@@ -1815,6 +1815,11 @@ static int write_one_header (FILE *fp, i
+       tagbuf = mutt_substrdup (start, t);
+       ++t; /* skip over the colon separating the header field name and value */
+       SKIPWS(t); /* skip over any leading whitespace */
++
++      /* skip over any leading whitespace (WSP, as defined in RFC5322) */
++      while (*t == ' ' || *t == '\t')
++        t++;
++
+       valbuf = mutt_substrdup (t, end);
+     }
+     dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
+
+:xa
+ls
+Index: mutt/lib.c
+===================================================================
+--- mutt.orig/lib.c
++++ mutt/lib.c
+@@ -814,6 +814,9 @@ char *mutt_substrdup (const char *begin,
+   size_t len;
+   char *p;
+
++  if (end < begin)
++    return NULL;
++
+   if (end)
+     len = end - begin;
+   else

Attachment: signature.asc
Description: Digital signature

Reply via email to