guix-play/gnu/packages/patches/mutt-CVE-2014-9116.patch
Mark H Weaver 63d526e268 gnu: mutt: Add fix for CVE-2014-9116.
* gnu/packages/patches/mutt-CVE-2014-9116.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/mail.scm (mutt): Add patch.
2014-12-30 15:18:37 -05:00

47 lines
1.4 KiB
Diff

Fix CVE-2014-9116. Copied from Debian:
This patch solves the issue raised by CVE-2014-9116 in bug 771125.
We correctly redefine what are the whitespace characters as per RFC5322; by
doing so we prevent mutt_substrdup from being used in a way that could lead to
a segfault.
The lib.c part was written by Antonio Radici <antonio@debian.org> to prevent
crashes due to this kind of bugs from happening again.
The wheezy version of this patch is slightly different, therefore this patch
has -jessie prefixed in its name.
The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as
the upstream patch reported here:
http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch
--- a/lib.c
+++ b/lib.c
@@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin,
size_t len;
char *p;
+ if (end != NULL && end < begin)
+ return NULL;
+
if (end)
len = end - begin;
else
--- a/sendlib.c
+++ b/sendlib.c
@@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i
{
tagbuf = mutt_substrdup (start, t);
/* skip over the colon separating the header field name and value */
- t = skip_email_wsp(t + 1);
+ ++t;
+
+ /* skip over any leading whitespace (WSP, as defined in RFC5322) */
+ while (*t == ' ' || *t == '\t')
+ t++;
+
valbuf = mutt_substrdup (t, end);
}
dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "