Bug#771125: please review mutt-1.5.21-6.2+deb7u3

Thu, 27 Nov 2014 14:52:22 -0800 

A better debdiff is included, this does not include two vim artifacts at the
end of the first patch, sorry for the inconvenience.

On Thu, Nov 27, 2014 at 10:26:37PM +0000, Antonio Radici wrote:
> And the attachment is now, actually, attached :)
> 
> On Thu, Nov 27, 2014 at 10:13:39PM +0000, Antonio Radici wrote:
> > Hi,
> > this patch fixes the buffer overflow + RCE in the mutt version that is
> > currently in stable; I have already got the packages built and ready to be
> > uploaded.
> > 
> > Bug: http://bugs.debian.org/771125
> > CVE: CVE-2014-9116
> > 
> > Debdiff of the *dsc against the current version in stable is attached; let 
> > me
> > know if you need anything else.
> > 
> > Cheers
> > Antonio

diff -u mutt-1.5.21/debian/changelog mutt-1.5.21/debian/changelog
--- mutt-1.5.21/debian/changelog
+++ mutt-1.5.21/debian/changelog
@@ -1,3 +1,10 @@
+mutt (1.5.21-6.2+deb7u3) wheezy-security; urgency=high
+
+  * Fix buffer overflow caused by an incorrect parsing of whitespace
+    characters; also address CVE-2014-0467 (Closes: 771125)
+
+ -- Antonio Radici <anto...@dyne.org>  Thu, 27 Nov 2014 21:10:23 +0000
+
 mutt (1.5.21-6.2+deb7u2) wheezy-security; urgency=high
 
   * Non-maintainer upload.
diff -u mutt-1.5.21/debian/patches/series mutt-1.5.21/debian/patches/series
--- mutt-1.5.21/debian/patches/series
+++ mutt-1.5.21/debian/patches/series
@@ -54,6 +54,7 @@
 upstream/611410-no-implicit_autoview-for-text-html.patch
 upstream/path_max
 upstream/CVE-2014-0467.patch
+upstream/771125-CVE-2014-9116.patch
 
 misc/579967-fixes-german-translation.patch
 
only in patch2:
unchanged:
--- mutt-1.5.21.orig/debian/patches/upstream/771125-CVE-2014-9116.patch
+++ mutt-1.5.21/debian/patches/upstream/771125-CVE-2014-9116.patch
@@ -0,0 +1,38 @@
+This patches solves the issue raised by CVE-2014-9116 in bug 771125.
+The sendlib patch is incorporated from upstream commit:
+http://dev.mutt.org/trac/changeset/897dcc62e4aa
+
+The lib.c part was written by Antonio Radici <anto...@debian.org> to prevent
+crashes due to this kind of bugs from happening again.
+
+Index: mutt/sendlib.c
+===================================================================
+--- mutt.orig/sendlib.c
++++ mutt/sendlib.c
+@@ -1815,6 +1815,11 @@ static int write_one_header (FILE *fp, i
+       tagbuf = mutt_substrdup (start, t);
+       ++t; /* skip over the colon separating the header field name and value 
*/
+       SKIPWS(t); /* skip over any leading whitespace */
++
++      /* skip over any leading whitespace (WSP, as defined in RFC5322) */
++      while (*t == ' ' || *t == '\t')
++        t++;
++
+       valbuf = mutt_substrdup (t, end);
+     }
+     dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
+
+Index: mutt/lib.c
+===================================================================
+--- mutt.orig/lib.c
++++ mutt/lib.c
+@@ -814,6 +814,9 @@ char *mutt_substrdup (const char *begin,
+   size_t len;
+   char *p;
+
++  if (end < begin)
++    return NULL;
++
+   if (end)
+     len = end - begin;
+   else

Attachment: signature.asc
Description: Digital signature

Reply via email to