Compare commits
No commits in common. 'i9c-beta' and 'c9' have entirely different histories.
@ -1,41 +0,0 @@
|
|||||||
From 96610c6cfa796dc15c5afcf0fd9f9b75869827fe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kevin McCarthy <kevin@8t8.us>
|
|
||||||
Date: Sun, 3 Sep 2023 12:22:01 +0800
|
|
||||||
Subject: [PATCH] Fix rfc2047 base64 decoding to abort on illegal characters.
|
|
||||||
|
|
||||||
For some reason, the rfc2047 base64 decoder ignored illegal
|
|
||||||
characters, instead of aborting. This seems innocuous, but in fact
|
|
||||||
leads to at least three crash-bugs elsewhere in Mutt.
|
|
||||||
|
|
||||||
These stem from Mutt, in some cases, passing an entire header
|
|
||||||
field (name, colon, and body) to the rfc2047 decoder. (It is
|
|
||||||
technically incorrect to do so, by the way, but is beyond scope for
|
|
||||||
these fixes in stable). Mutt then assumes the result can't be empty
|
|
||||||
because of a previous check that the header contains at least a colon.
|
|
||||||
|
|
||||||
This commit takes care of the source of the crashes, by aborting the
|
|
||||||
rfc2047 decode. The following two commits add protective fixes to the
|
|
||||||
specific crash points.
|
|
||||||
|
|
||||||
Thanks to Chenyuan Mi (@morningbread) for discovering the strchr
|
|
||||||
crashes, giving a working example draft message, and providing the
|
|
||||||
stack traces for the two NULL derefences.
|
|
||||||
|
|
||||||
(cherry picked from commit 452ee330e094bfc7c9a68555e5152b1826534555)
|
|
||||||
---
|
|
||||||
rfc2047.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/rfc2047.c b/rfc2047.c
|
|
||||||
index 1ce82ebb..36cc76db 100644
|
|
||||||
--- a/rfc2047.c
|
|
||||||
+++ b/rfc2047.c
|
|
||||||
@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset)
|
|
||||||
if (*pp == '=')
|
|
||||||
break;
|
|
||||||
if ((*pp & ~127) || (c = base64val(*pp)) == -1)
|
|
||||||
- continue;
|
|
||||||
+ goto error_out_0;
|
|
||||||
if (k + 6 >= 8)
|
|
||||||
{
|
|
||||||
k -= 2;
|
|
@ -1,37 +0,0 @@
|
|||||||
From d75eaee07138aa661b5c8b49242d20ba95894efb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kevin McCarthy <kevin@8t8.us>
|
|
||||||
Date: Sun, 3 Sep 2023 14:11:48 +0800
|
|
||||||
Subject: [PATCH] (CVE-2023-4874) Fix write_one_header() illegal header check.
|
|
||||||
|
|
||||||
This is another crash caused by the rfc2047 decoding bug fixed in the
|
|
||||||
second prior commit.
|
|
||||||
|
|
||||||
In this case, an empty header line followed by a header line starting
|
|
||||||
with ":", would result in t==end.
|
|
||||||
|
|
||||||
The mutt_substrdup() further below would go very badly at that point,
|
|
||||||
with t >= end+1. This could result in either a memcpy onto NULL or a
|
|
||||||
huge malloc call.
|
|
||||||
|
|
||||||
Thanks to Chenyuan Mi (@morningbread) for giving a working example
|
|
||||||
draft message of the rfc2047 decoding flaw. This allowed me, with
|
|
||||||
further testing, to discover this additional crash bug.
|
|
||||||
|
|
||||||
(cherry picked from commit a4752eb0ae0a521eec02e59e51ae5daedf74fda0)
|
|
||||||
---
|
|
||||||
sendlib.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/sendlib.c b/sendlib.c
|
|
||||||
index b0b94b4f..7d2feb62 100644
|
|
||||||
--- a/sendlib.c
|
|
||||||
+++ b/sendlib.c
|
|
||||||
@@ -2121,7 +2121,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
|
|
||||||
else
|
|
||||||
{
|
|
||||||
t = strchr (start, ':');
|
|
||||||
- if (!t || t > end)
|
|
||||||
+ if (!t || t >= end)
|
|
||||||
{
|
|
||||||
dprint (1, (debugfile, "mwoh: warning: header not in "
|
|
||||||
"'key: value' format!\n"));
|
|
@ -1,47 +0,0 @@
|
|||||||
From d9e00fa1a7c0f30529d71d818a4e1518f1537053 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kevin McCarthy <kevin@8t8.us>
|
|
||||||
Date: Mon, 4 Sep 2023 12:50:07 +0800
|
|
||||||
Subject: [PATCH] (CVE-2023-4875) Check for NULL userhdrs.
|
|
||||||
|
|
||||||
When composing an email, miscellaneous extra headers are stored in a
|
|
||||||
userhdrs list. Mutt first checks to ensure each header contains at
|
|
||||||
least a colon character, passes the entire userhdr field (name, colon,
|
|
||||||
and body) to the rfc2047 decoder, and safe_strdup()'s the result on
|
|
||||||
the userhdrs list. An empty result would from the decode would result
|
|
||||||
in a NULL headers being added to list.
|
|
||||||
|
|
||||||
The previous commit removed the possibility of the decoded header
|
|
||||||
field being empty, but it's prudent to add a check to the strchr
|
|
||||||
calls, in case there is another unexpected bug resulting in one.
|
|
||||||
|
|
||||||
Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
|
|
||||||
crashes, giving a working example draft message, and providing the
|
|
||||||
stack traces for the two NULL derefences.
|
|
||||||
|
|
||||||
(cherry picked from commit 4cc3128abdf52c615911589394a03271fddeefc6)
|
|
||||||
---
|
|
||||||
sendlib.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sendlib.c b/sendlib.c
|
|
||||||
index 7d2feb62..ed4d7a25 100644
|
|
||||||
--- a/sendlib.c
|
|
||||||
+++ b/sendlib.c
|
|
||||||
@@ -2409,7 +2409,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date,
|
|
||||||
/* Add any user defined headers */
|
|
||||||
for (; tmp; tmp = tmp->next)
|
|
||||||
{
|
|
||||||
- if ((p = strchr (tmp->data, ':')))
|
|
||||||
+ if ((p = strchr (NONULL (tmp->data), ':')))
|
|
||||||
{
|
|
||||||
q = p;
|
|
||||||
|
|
||||||
@@ -2457,7 +2457,7 @@ static void encode_headers (LIST *h)
|
|
||||||
|
|
||||||
for (; h; h = h->next)
|
|
||||||
{
|
|
||||||
- if (!(p = strchr (h->data, ':')))
|
|
||||||
+ if (!(p = strchr (NONULL (h->data), ':')))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
i = p - h->data;
|
|
Loading…
Reference in new issue