From 63d526e2689774ff2897446b870c3817b95c75d7 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 30 Dec 2014 15:17:44 -0500 Subject: gnu: mutt: Add fix for CVE-2014-9116. * gnu/packages/patches/mutt-CVE-2014-9116.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/mail.scm (mutt): Add patch. --- gnu-system.am | 1 + gnu/packages/mail.scm | 3 +- gnu/packages/patches/mutt-CVE-2014-9116.patch | 46 +++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mutt-CVE-2014-9116.patch diff --git a/gnu-system.am b/gnu-system.am index 3d145b1387..dc881bb31d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -420,6 +420,7 @@ dist_patch_DATA = \ gnu/packages/patches/mpc123-initialize-ao.patch \ gnu/packages/patches/module-init-tools-moduledir.patch \ gnu/packages/patches/mupdf-buildsystem-fix.patch \ + gnu/packages/patches/mutt-CVE-2014-9116.patch \ gnu/packages/patches/net-tools-bitrot.patch \ gnu/packages/patches/nvi-assume-preserve-path.patch \ gnu/packages/patches/orpheus-cast-errors-and-includes.patch \ diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 534476f7d1..8424d8ccbe 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -174,7 +174,8 @@ aliasing facilities to work just as they would on normal mail.") version ".tar.gz"))) (sha256 (base32 - "0dzx4qk50pjfsb6cs5jahng96a52k12f7pm0sc78iqdrawg71w1s")))) + "0dzx4qk50pjfsb6cs5jahng96a52k12f7pm0sc78iqdrawg71w1s")) + (patches (list (search-patch "mutt-CVE-2014-9116.patch"))))) (build-system gnu-build-system) (inputs `(("cyrus-sasl" ,cyrus-sasl) diff --git a/gnu/packages/patches/mutt-CVE-2014-9116.patch b/gnu/packages/patches/mutt-CVE-2014-9116.patch new file mode 100644 index 0000000000..91e17ecbe0 --- /dev/null +++ b/gnu/packages/patches/mutt-CVE-2014-9116.patch @@ -0,0 +1,46 @@ +Fix CVE-2014-9116. Copied from Debian: + +This patch solves the issue raised by CVE-2014-9116 in bug 771125. + +We correctly redefine what are the whitespace characters as per RFC5322; by +doing so we prevent mutt_substrdup from being used in a way that could lead to +a segfault. + +The lib.c part was written by Antonio Radici to prevent +crashes due to this kind of bugs from happening again. + +The wheezy version of this patch is slightly different, therefore this patch +has -jessie prefixed in its name. + +The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as +the upstream patch reported here: +http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch + +--- a/lib.c ++++ b/lib.c +@@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin, + size_t len; + char *p; + ++ if (end != NULL && end < begin) ++ return NULL; ++ + if (end) + len = end - begin; + else +--- a/sendlib.c ++++ b/sendlib.c +@@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i + { + tagbuf = mutt_substrdup (start, t); + /* skip over the colon separating the header field name and value */ +- t = skip_email_wsp(t + 1); ++ ++t; ++ ++ /* skip over any leading whitespace (WSP, as defined in RFC5322) */ ++ while (*t == ' ' || *t == '\t') ++ t++; ++ + valbuf = mutt_substrdup (t, end); + } + dprint(4,(debugfile,"mwoh: buf[%s%s] too long, " -- cgit 1.4.1