44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
|
This patch solves the issue raised by CVE-2014-9116 in bug 771125.
|
||
|
|
|
||
|
|
We correctly redefine what are the whitespace characters as per RFC5322; by
|
||
|
|
doing so we prevent mutt_substrdup from being used in a way that could lead to
|
||
|
|
a segfault.
|
||
|
|
|
||
|
|
The lib.c part was written by Antonio Radici <antonio@debian.org> to prevent
|
||
|
|
crashes due to this kind of bugs from happening again.
|
||
|
|
|
||
|
|
The wheezy version of this patch is slightly different, therefore this patch
|
||
|
|
has -jessie prefixed in its name.
|
||
|
|
|
||
|
|
Index: mutt/lib.c
|
||
|
|
===================================================================
|
||
|
|
--- mutt/lib.c
|
||
|
|
+++ mutt/lib.c
|
||
|
|
@@ -819,6 +819,9 @@ char *mutt_substrdup (const char *begin,
|
||
|
|
size_t len;
|
||
|
|
char *p;
|
||
|
|
|
||
|
|
+ if (end != NULL && end < begin)
|
||
|
|
+ return NULL;
|
||
|
|
+
|
||
|
|
if (end)
|
||
|
|
len = end - begin;
|
||
|
|
else
|
||
|
|
Index: mutt/sendlib.c
|
||
|
|
===================================================================
|
||
|
|
--- mutt/sendlib.c
|
||
|
|
+++ mutt/sendlib.c
|
||
|
|
@@ -1814,7 +1814,11 @@ static int write_one_header (FILE *fp, i
|
||
|
|
{
|
||
|
|
tagbuf = mutt_substrdup (start, t);
|
||
|
|
++t; /* skip over the colon separating the header field name and value */
|
||
|
|
- SKIPWS(t); /* skip over any leading whitespace */
|
||
|
|
+
|
||
|
|
+ /* skip over any leading whitespace (WSP, as defined in RFC5322) */
|
||
|
|
+ while (*t == ' ' || *t == '\t')
|
||
|
|
+ t++;
|
||
|
|
+
|
||
|
|
valbuf = mutt_substrdup (t, end);
|
||
|
|
}
|
||
|
|
dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
|