MSVSphere Packaging Team
9 months ago
commit
43884a86e9
@ -0,0 +1 @@
|
||||
SOURCES/mutt-2.2.6.tar.gz
|
||||
@ -0,0 +1 @@
|
||||
3dabf53ea1a45e67fe77a5072bb4c104afb2ad1e SOURCES/mutt-2.2.6.tar.gz
|
||||
@ -0,0 +1,41 @@
|
||||
From 96610c6cfa796dc15c5afcf0fd9f9b75869827fe Mon Sep 17 00:00:00 2001
|
||||
From: Kevin McCarthy <kevin@8t8.us>
|
||||
Date: Sun, 3 Sep 2023 12:22:01 +0800
|
||||
Subject: [PATCH] Fix rfc2047 base64 decoding to abort on illegal characters.
|
||||
|
||||
For some reason, the rfc2047 base64 decoder ignored illegal
|
||||
characters, instead of aborting. This seems innocuous, but in fact
|
||||
leads to at least three crash-bugs elsewhere in Mutt.
|
||||
|
||||
These stem from Mutt, in some cases, passing an entire header
|
||||
field (name, colon, and body) to the rfc2047 decoder. (It is
|
||||
technically incorrect to do so, by the way, but is beyond scope for
|
||||
these fixes in stable). Mutt then assumes the result can't be empty
|
||||
because of a previous check that the header contains at least a colon.
|
||||
|
||||
This commit takes care of the source of the crashes, by aborting the
|
||||
rfc2047 decode. The following two commits add protective fixes to the
|
||||
specific crash points.
|
||||
|
||||
Thanks to Chenyuan Mi (@morningbread) for discovering the strchr
|
||||
crashes, giving a working example draft message, and providing the
|
||||
stack traces for the two NULL derefences.
|
||||
|
||||
(cherry picked from commit 452ee330e094bfc7c9a68555e5152b1826534555)
|
||||
---
|
||||
rfc2047.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/rfc2047.c b/rfc2047.c
|
||||
index 1ce82ebb..36cc76db 100644
|
||||
--- a/rfc2047.c
|
||||
+++ b/rfc2047.c
|
||||
@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset)
|
||||
if (*pp == '=')
|
||||
break;
|
||||
if ((*pp & ~127) || (c = base64val(*pp)) == -1)
|
||||
- continue;
|
||||
+ goto error_out_0;
|
||||
if (k + 6 >= 8)
|
||||
{
|
||||
k -= 2;
|
||||
@ -0,0 +1,37 @@
|
||||
From d75eaee07138aa661b5c8b49242d20ba95894efb Mon Sep 17 00:00:00 2001
|
||||
From: Kevin McCarthy <kevin@8t8.us>
|
||||
Date: Sun, 3 Sep 2023 14:11:48 +0800
|
||||
Subject: [PATCH] (CVE-2023-4874) Fix write_one_header() illegal header check.
|
||||
|
||||
This is another crash caused by the rfc2047 decoding bug fixed in the
|
||||
second prior commit.
|
||||
|
||||
In this case, an empty header line followed by a header line starting
|
||||
with ":", would result in t==end.
|
||||
|
||||
The mutt_substrdup() further below would go very badly at that point,
|
||||
with t >= end+1. This could result in either a memcpy onto NULL or a
|
||||
huge malloc call.
|
||||
|
||||
Thanks to Chenyuan Mi (@morningbread) for giving a working example
|
||||
draft message of the rfc2047 decoding flaw. This allowed me, with
|
||||
further testing, to discover this additional crash bug.
|
||||
|
||||
(cherry picked from commit a4752eb0ae0a521eec02e59e51ae5daedf74fda0)
|
||||
---
|
||||
sendlib.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sendlib.c b/sendlib.c
|
||||
index b0b94b4f..7d2feb62 100644
|
||||
--- a/sendlib.c
|
||||
+++ b/sendlib.c
|
||||
@@ -2121,7 +2121,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
|
||||
else
|
||||
{
|
||||
t = strchr (start, ':');
|
||||
- if (!t || t > end)
|
||||
+ if (!t || t >= end)
|
||||
{
|
||||
dprint (1, (debugfile, "mwoh: warning: header not in "
|
||||
"'key: value' format!\n"));
|
||||
@ -0,0 +1,47 @@
|
||||
From d9e00fa1a7c0f30529d71d818a4e1518f1537053 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin McCarthy <kevin@8t8.us>
|
||||
Date: Mon, 4 Sep 2023 12:50:07 +0800
|
||||
Subject: [PATCH] (CVE-2023-4875) Check for NULL userhdrs.
|
||||
|
||||
When composing an email, miscellaneous extra headers are stored in a
|
||||
userhdrs list. Mutt first checks to ensure each header contains at
|
||||
least a colon character, passes the entire userhdr field (name, colon,
|
||||
and body) to the rfc2047 decoder, and safe_strdup()'s the result on
|
||||
the userhdrs list. An empty result would from the decode would result
|
||||
in a NULL headers being added to list.
|
||||
|
||||
The previous commit removed the possibility of the decoded header
|
||||
field being empty, but it's prudent to add a check to the strchr
|
||||
calls, in case there is another unexpected bug resulting in one.
|
||||
|
||||
Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
|
||||
crashes, giving a working example draft message, and providing the
|
||||
stack traces for the two NULL derefences.
|
||||
|
||||
(cherry picked from commit 4cc3128abdf52c615911589394a03271fddeefc6)
|
||||
---
|
||||
sendlib.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/sendlib.c b/sendlib.c
|
||||
index 7d2feb62..ed4d7a25 100644
|
||||
--- a/sendlib.c
|
||||
+++ b/sendlib.c
|
||||
@@ -2409,7 +2409,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date,
|
||||
/* Add any user defined headers */
|
||||
for (; tmp; tmp = tmp->next)
|
||||
{
|
||||
- if ((p = strchr (tmp->data, ':')))
|
||||
+ if ((p = strchr (NONULL (tmp->data), ':')))
|
||||
{
|
||||
q = p;
|
||||
|
||||
@@ -2457,7 +2457,7 @@ static void encode_headers (LIST *h)
|
||||
|
||||
for (; h; h = h->next)
|
||||
{
|
||||
- if (!(p = strchr (h->data, ':')))
|
||||
+ if (!(p = strchr (NONULL (h->data), ':')))
|
||||
continue;
|
||||
|
||||
i = p - h->data;
|
||||
@ -0,0 +1,21 @@
|
||||
diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head
|
||||
--- mutt-1.8.0.orig/doc/Muttrc.head 2017-02-25 15:28:22.120997474 +0000
|
||||
+++ mutt-1.8.0/doc/Muttrc.head 2017-02-25 15:30:10.643079681 +0000
|
||||
@@ -24,13 +24,17 @@
|
||||
|
||||
# Show documentation when pressing F1
|
||||
macro generic,pager <F1> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation"
|
||||
+# and also F2, as some terminals use F1
|
||||
+macro generic,pager <F2> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation"
|
||||
|
||||
# show the incoming mailboxes list (just like "mutt -y") and back when pressing "y"
|
||||
# note: these macros have been subsumed by the <browse-mailboxes> function.
|
||||
# macro index y "<change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
|
||||
# macro pager y "<exit><change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
|
||||
bind browser y exit
|
||||
|
||||
+bind editor <delete> delete-char
|
||||
+
|
||||
# Handler for gzip compressed mailboxes
|
||||
# open-hook '\.gz$' "gzip -cd '%f' > '%t'"
|
||||
# close-hook '\.gz$' "gzip -c '%t' > '%f'"
|
||||
@ -0,0 +1,12 @@
|
||||
diff -up mutt-1.12.1/init.h.optusegpgagent mutt-1.12.1/init.h
|
||||
--- mutt-1.12.1/init.h.optusegpgagent 2019-08-29 09:29:38.868810511 +0200
|
||||
+++ mutt-1.12.1/init.h 2019-08-29 09:30:29.899395370 +0200
|
||||
@@ -2444,7 +2444,7 @@ struct option_t MuttVars[] = {
|
||||
** not used.
|
||||
** (PGP only)
|
||||
*/
|
||||
- { "pgp_use_gpg_agent", DT_BOOL, R_NONE, {.l=OPTUSEGPGAGENT}, {.l=1} },
|
||||
+ { "pgp_use_gpg_agent", DT_BOOL, R_NONE, {.l=OPTUSEGPGAGENT}, {.l=0} },
|
||||
/*
|
||||
** .pp
|
||||
** If \fIset\fP, mutt expects a \fCgpg-agent(1)\fP process will handle
|
||||
@ -0,0 +1,12 @@
|
||||
diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95-new/init.h
|
||||
--- mutt-17a4f92e4a95-orig/init.h 2015-06-07 22:59:32.000000000 +0200
|
||||
+++ mutt-17a4f92e4a95-new/init.h 2015-06-25 15:28:56.095570332 +0200
|
||||
@@ -2989,7 +2989,7 @@ struct option_t MuttVars[] = {
|
||||
*/
|
||||
#if defined(USE_SSL)
|
||||
# ifdef USE_SSL_GNUTLS
|
||||
- { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p=0} },
|
||||
+ { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p="/etc/ssl/certs/ca-bundle.crt"} },
|
||||
/*
|
||||
** .pp
|
||||
** This variable specifies a file containing trusted CA certificates.
|
||||
@ -0,0 +1,12 @@
|
||||
diff -ur mutt-1.7.0-orig/imap/imap.c mutt-1.7.0/imap/imap.c
|
||||
--- mutt-1.7.0-orig/imap/imap.c 2016-08-20 11:06:26.266272415 +0100
|
||||
+++ mutt-1.7.0/imap/imap.c 2016-08-20 11:07:42.874509429 +0100
|
||||
@@ -1143,7 +1143,7 @@
|
||||
if (!idata->ctx)
|
||||
return -1;
|
||||
|
||||
- if (!mutt_bit_isset (idata->ctx->rights, right))
|
||||
+ if (!idata->ctx || !mutt_bit_isset (idata->ctx->rights, right))
|
||||
return 0;
|
||||
|
||||
if (right == MUTT_ACL_WRITE && !imap_has_flag (idata->flags, name))
|
||||
@ -0,0 +1,28 @@
|
||||
diff -ur mutt-1.8.0.orig/contrib/Makefile.am mutt-1.8.0/contrib/Makefile.am
|
||||
--- mutt-1.8.0.orig/contrib/Makefile.am 2017-02-25 15:28:22.124997366 +0000
|
||||
+++ mutt-1.8.0/contrib/Makefile.am 2017-02-25 15:48:10.834036861 +0000
|
||||
@@ -6,7 +6,7 @@
|
||||
sample.mailcap sample.muttrc sample.muttrc-sidebar sample.muttrc-tlr \
|
||||
sample.muttrc-compress sample.muttrc-starter \
|
||||
sample.vimrc-sidebar colors.default colors.linux smime.rc \
|
||||
- ca-bundle.crt smime_keys_test.pl mutt_xtitle markdown2html \
|
||||
+ smime_keys_test.pl mutt_xtitle markdown2html \
|
||||
bgedit-detectgui.sh bgedit-screen-tmux.sh \
|
||||
mutt_oauth2.py mutt_oauth2.py.README
|
||||
|
||||
diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt
|
||||
--- mutt-1.8.0.orig/doc/smime-notes.txt 2017-02-25 15:28:22.119997501 +0000
|
||||
+++ mutt-1.8.0/doc/smime-notes.txt 2017-02-25 16:06:38.986242390 +0000
|
||||
@@ -40,8 +40,10 @@
|
||||
- Edit the smime_sign_as line in your muttrc, replacing the keyid with your
|
||||
own.
|
||||
|
||||
-- You probably want to import the trusted roots in
|
||||
- contrib/ca-bundle.crt. This makes you trust anything that was ultimately
|
||||
+- There is no more ca-bundle.crt file with the trusted roots to import shipped
|
||||
+ in mutt. The upstream file is out-dated and user is encouraged to use
|
||||
+ ca-bundle.crt from ca-certificate package.
|
||||
+ This makes you trust anything that was ultimately
|
||||
signed by one of them. You can use "smime_keys add_root" to do so, or
|
||||
just copy ca-bundle.crt into the place you point mutt's smime_ca_location
|
||||
variable to.
|
||||
@ -0,0 +1,32 @@
|
||||
diff -ur mutt-1.9.0.orig/init.h mutt-1.9.0/init.h
|
||||
--- mutt-1.9.0.orig/init.h 2017-09-04 16:48:21.409528002 +0200
|
||||
+++ mutt-1.9.0/init.h 2017-09-04 16:49:26.505093636 +0200
|
||||
@@ -3510,7 +3510,7 @@
|
||||
*/
|
||||
# endif /* defined HAVE_SSL_PARTIAL_CHAIN */
|
||||
# endif /* defined USE_SSL_OPENSSL */
|
||||
- { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p=0} },
|
||||
+ { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p="@SYSTEM"} },
|
||||
/*
|
||||
** .pp
|
||||
** Contains a colon-separated list of ciphers to use when using SSL.
|
||||
diff -ur mutt-1.9.0.orig/mutt_ssl_gnutls.c mutt-1.9.0/mutt_ssl_gnutls.c
|
||||
--- mutt-1.9.0.orig/mutt_ssl_gnutls.c 2017-09-04 16:48:21.403528134 +0200
|
||||
+++ mutt-1.9.0/mutt_ssl_gnutls.c 2017-09-04 16:51:16.081679141 +0200
|
||||
@@ -286,6 +286,8 @@
|
||||
else
|
||||
mutt_buffer_strcpy (priority, "NORMAL");
|
||||
|
||||
+if (SslCiphers && strcmp(SslCiphers, "@SYSTEM"))
|
||||
+{
|
||||
if (!option (OPTTLSV1_3))
|
||||
{
|
||||
nproto--;
|
||||
@@ -313,6 +315,7 @@
|
||||
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
|
||||
goto cleanup;
|
||||
}
|
||||
+}
|
||||
|
||||
if ((err = gnutls_priority_set_direct (data->state, mutt_b2s (priority), NULL)) < 0)
|
||||
{
|
||||
@ -0,0 +1,12 @@
|
||||
diff -up mutt-1.9.1/doc/Makefile.am.lynx_no_backscapes mutt-1.9.1/doc/Makefile.am
|
||||
--- mutt-1.9.1/doc/Makefile.am.lynx_no_backscapes 2018-04-12 15:30:14.881812698 +0200
|
||||
+++ mutt-1.9.1/doc/Makefile.am 2018-04-12 15:30:25.632968018 +0200
|
||||
@@ -109,7 +109,7 @@ uninstall-local:
|
||||
|
||||
check:
|
||||
manual.txt: manual.html
|
||||
- -LC_ALL=C lynx -localhost -dump -nolist -nonumbers -with_backspaces -display_charset=us-ascii manual.html > $@ || \
|
||||
+ -LC_ALL=C lynx -localhost -dump -nolist -display_charset=us-ascii manual.html > $@ || \
|
||||
LC_ALL=C w3m -T text/html -I utf-8 -O utf-8 -dump < manual.html > $@ || \
|
||||
LC_ALL=C elinks -dump -no-numbering -no-references manual.html | sed -e 's,\\001, ,g' > $@
|
||||
|
||||
@ -0,0 +1,43 @@
|
||||
diff -up mutt-1.10.0/configure.ac.nodotlock mutt-1.10.0/configure.ac
|
||||
--- mutt-1.10.0/configure.ac.nodotlock 2018-05-14 23:51:53.000000000 +0200
|
||||
+++ mutt-1.10.0/configure.ac 2018-05-23 15:09:21.186613968 +0200
|
||||
@@ -528,9 +528,7 @@ int main (int argc, char **argv)
|
||||
}]])],[mutt_cv_worldwrite=yes],[mutt_cv_worldwrite=no],[mutt_cv_worldwrite=no])])
|
||||
|
||||
mutt_cv_setgid=no
|
||||
- if test $mutt_cv_worldwrite = yes; then
|
||||
- AC_DEFINE(USE_DOTLOCK,1,[ Define to use dotlocking for mailboxes. ])
|
||||
- else
|
||||
+ if test $mutt_cv_worldwrite != yes; then
|
||||
|
||||
AC_CACHE_CHECK(if $mutt_cv_mailpath is group writable, mutt_cv_groupwrite, [AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
@@ -546,7 +544,6 @@ int main (int argc, char **argv)
|
||||
}]])],[mutt_cv_groupwrite=yes],[mutt_cv_groupwrite=no],[mutt_cv_groupwrite=no])])
|
||||
|
||||
if test $mutt_cv_groupwrite = yes; then
|
||||
- AC_DEFINE(USE_DOTLOCK,1,[ Define to use dotlocking for mailboxes. ])
|
||||
AC_DEFINE(USE_SETGID,1,[ Define if mutt should run setgid "mail". ])
|
||||
mutt_cv_setgid=yes
|
||||
fi
|
||||
diff -up mutt-1.10.0/Makefile.am.nodotlock mutt-1.10.0/Makefile.am
|
||||
--- mutt-1.10.0/Makefile.am.nodotlock 2018-05-23 15:11:05.477977659 +0200
|
||||
+++ mutt-1.10.0/Makefile.am 2018-05-23 15:11:20.252170843 +0200
|
||||
@@ -154,17 +154,6 @@ hcversion.h: $(srcdir)/mutt.h $(srcdir)/
|
||||
patchlist.c: $(srcdir)/PATCHES $(srcdir)/patchlist.sh
|
||||
$(srcdir)/patchlist.sh < $(srcdir)/PATCHES > patchlist.c
|
||||
|
||||
-install-exec-hook:
|
||||
- if test -f $(DESTDIR)$(bindir)/mutt.dotlock && test -f $(DESTDIR)$(bindir)/mutt_dotlock ; then \
|
||||
- rm -f $(DESTDIR)$(bindir)/mutt.dotlock ; \
|
||||
- ln -sf $(DESTDIR)$(bindir)/mutt_dotlock $(DESTDIR)$(bindir)/mutt.dotlock ; \
|
||||
- fi
|
||||
- if test -f $(DESTDIR)$(bindir)/mutt_dotlock && test x$(DOTLOCK_GROUP) != x ; then \
|
||||
- chgrp $(DOTLOCK_GROUP) $(DESTDIR)$(bindir)/mutt_dotlock && \
|
||||
- chmod $(DOTLOCK_PERMISSION) $(DESTDIR)$(bindir)/mutt_dotlock || \
|
||||
- { echo "Can't fix mutt_dotlock's permissions! This is required to lock mailboxes in the mail spool directory." >&2 ; exit 1 ; } \
|
||||
- fi
|
||||
-
|
||||
install-data-local:
|
||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
||||
$(INSTALL) -m 644 $(srcdir)/mime.types $(DESTDIR)$(sysconfdir)/mime.types.dist
|
||||
@ -0,0 +1,42 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Last modified: 30 October 2000
|
||||
#
|
||||
|
||||
FLAGS=
|
||||
|
||||
# Create two temporary files.
|
||||
umask 077
|
||||
TMPFILE=`mktemp /tmp/mutt.ldap.XXXXXX`
|
||||
RESULTS=`mktemp /tmp/mutt.ldap.XXXXXX`
|
||||
|
||||
if [ -n "$LDAPSERVER" ]; then
|
||||
FLAGS="$FLAGS -h $LDAPSERVER"
|
||||
fi
|
||||
if [ -n "$LDAPBASEDN" ]; then
|
||||
FLAGS="$FLAGS -b $LDAPBASEDN"
|
||||
fi
|
||||
|
||||
# Search.
|
||||
ldapsearch $FLAGS '(&(objectclass=inetorgperson)(|(cn='"$1"'*)(givenname='"$1"'*)(surname='"$1"'*)(mail='"$1"'*)))' mail cn roomNumber 2> /dev/null >> $TMPFILE
|
||||
ldapsearch -x $FLAGS '(&(objectclass=inetorgperson)(|(cn='"$1"'*)(givenname='"$1"'*)(surname='"$1"'*)(mail='"$1"'*)))' mail cn roomNumber 2> /dev/null >> $TMPFILE
|
||||
|
||||
# Parse.
|
||||
cat $TMPFILE | awk '
|
||||
/^mail:/ {MAIL=substr($0,6)}
|
||||
/^cn:/ {NAME=substr($0,4)}
|
||||
/^roomNumber:/ {ROOM=substr($0,12)}
|
||||
/^$/ { MAIL=gensub("^ *| *$","","g",MAIL) }
|
||||
/^$/ { NAME=gensub("^ *| *$","","g",NAME) }
|
||||
/^$/ { ROOM=gensub("^ *| *$","","g",ROOM) }
|
||||
/^$/ { if(length(NAME) > 0) print MAIL "\t" NAME "\t" ROOM}
|
||||
/^$/ { NAME = "" }
|
||||
' > $RESULTS
|
||||
|
||||
# Sort and present results.
|
||||
sort -u $RESULTS > $TMPFILE
|
||||
echo Querying ${LDAPSERVER}.... `cat $TMPFILE | wc -l` entries found.
|
||||
cat $TMPFILE
|
||||
|
||||
# Clean up.
|
||||
rm -f $TMPFILE $RESULTS
|
||||
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue