summary refs log tree commit diff
path: root/gnu/packages/patches/mutt-CVE-2014-9116.patch
blob: 91e17ecbe020c8a078fd180c8838e09014b34e98 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Fix CVE-2014-9116.  Copied from Debian:

This patch solves the issue raised by CVE-2014-9116 in bug 771125.

We correctly redefine what are the whitespace characters as per RFC5322; by
doing so we prevent mutt_substrdup from being used in a way that could lead to
a segfault.

The lib.c part was written by Antonio Radici <antonio@debian.org> to prevent
crashes due to this kind of bugs from happening again.

The wheezy version of this patch is slightly different, therefore this patch
has -jessie prefixed in its name.

The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as
the upstream patch reported here:
http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch

--- a/lib.c
+++ b/lib.c
@@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin,
   size_t len;
   char *p;
 
+  if (end != NULL && end < begin)
+    return NULL;
+
   if (end)
     len = end - begin;
   else
--- a/sendlib.c
+++ b/sendlib.c
@@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i
     {
       tagbuf = mutt_substrdup (start, t);
       /* skip over the colon separating the header field name and value */
-      t = skip_email_wsp(t + 1);
+      ++t;
+
+      /* skip over any leading whitespace (WSP, as defined in RFC5322) */
+      while (*t == ' ' || *t == '\t')
+        t++;
+
       valbuf = mutt_substrdup (t, end);
     }
     dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "