Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: car...@debian.org,anto...@debian.org
Hi SRM'ers, hi Antonio I prepared an update for mutt, fixing CVE-2022-1328, a buffer-overflow in uudecoder. Performed a manual test with the poc mbox provided by Tavis in https://gitlab.com/muttmua/mutt/-/issues/404 . Attached is the debdiff respectively for the upload. Regards, Salvatore
diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog --- mutt-1.10.1/debian/changelog 2021-01-25 19:10:07.000000000 +0100 +++ mutt-1.10.1/debian/changelog 2022-04-23 15:00:14.000000000 +0200 @@ -1,3 +1,10 @@ +mutt (1.10.1-2.1+deb10u6) buster; urgency=medium + + * Non-maintainer upload. + * Fix uudecode buffer overflow (CVE-2022-1328) (Closes: #1009734) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 23 Apr 2022 15:00:14 +0200 + mutt (1.10.1-2.1+deb10u5) buster-security; urgency=high * debian/patches: diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series --- mutt-1.10.1/debian/patches/series 2021-01-25 19:10:07.000000000 +0100 +++ mutt-1.10.1/debian/patches/series 2022-04-23 15:00:14.000000000 +0200 @@ -19,3 +19,4 @@ security/CVE-2020-28896.patch security/CVE-2021-3181.patch upstream/imap-preauth-and-ssh-tunnel.patch +upstream/Fix-uudecode-buffer-overflow.patch diff -Nru mutt-1.10.1/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch mutt-1.10.1/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch --- mutt-1.10.1/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-1.10.1/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch 2022-04-23 15:00:14.000000000 +0200 @@ -0,0 +1,43 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Tue, 5 Apr 2022 11:05:52 -0700 +Subject: Fix uudecode buffer overflow. +Origin: https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 +Bug: https://gitlab.com/muttmua/mutt/-/issues/404 +Bug-Debian: https://bugs.debian.org/1009734 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-1328 + +mutt_decode_uuencoded() used each line's initial "length character" +without any validation. It would happily read past the end of the +input line, and with a suitable value even past the length of the +input buffer. + +As I noted in ticket 404, there are several other changes that could +be added to make the parser more robust. However, to avoid +accidentally introducing another bug or regression, I'm restricting +this patch to simply addressing the overflow. + +Thanks to Tavis Ormandy for reporting the issue, along with a sample +message demonstrating the problem. +--- + handler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/handler.c b/handler.c +index d1b4bc73a58f..c97cf0cb527e 100644 +--- a/handler.c ++++ b/handler.c +@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd) + pt = tmps; + linelen = decode_byte (*pt); + pt++; +- for (c = 0; c < linelen;) ++ for (c = 0; c < linelen && *pt;) + { +- for (l = 2; l <= 6; l += 2) ++ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2) + { + out = decode_byte (*pt) << l; + pt++; +-- +2.35.2 +
