package/mutt: add security fixes from Ubuntu for CVE-2021-3181

Fixes the following security issue: - CVE-2021-3181: rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-28 21:49:40 +01:00 · 2021-01-28 21:49:40 +01:00 · c1413cd94c
commit c1413cd94c
parent 1fe19f1478
4 changed files with 128 additions and 0 deletions
--- a/package/mutt/0002-CVE-2021-3181-1.patch
+++ b/package/mutt/0002-CVE-2021-3181-1.patch
@ -0,0 +1,40 @@
+From 4a2becbdb4422aaffe3ce314991b9d670b7adf17 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 17 Jan 2021 10:40:37 -0800
+Subject: [PATCH] Fix memory leak parsing group addresses without a display
+ name.
+
+When there was a group address terminator with no previous
+addresses (including the group display-name), an address would be
+allocated but not attached to the address list.
+
+Change this to only allocate when last exists.
+
+It would be more correct to not allocate at all unless we are inside a
+group list, but I will address that in a separate commit to master.
+
+[Retrieved from:
+https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-1.patch?h=import/1.14.6-1ubuntu0.2]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ rfc822.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+Index: mutt-1.14.6/rfc822.c
+===================================================================
+--- mutt-1.14.6.orig/rfc822.c
+++ mutt-1.14.6/rfc822.c
+@@ -491,11 +491,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
+ #endif
+ 
+       /* add group terminator */
+-      cur = rfc822_new_address ();
+       if (last)
+       {
+-	last->next = cur;
+-	last = cur;
+	last->next = rfc822_new_address ();
+	last = last->next;
+       }
+ 
+       phraselen = 0;
--- a/package/mutt/0003-CVE-2021-3181-2.patch
+++ b/package/mutt/0003-CVE-2021-3181-2.patch
@ -0,0 +1,53 @@
+From 939b02b33ae29bc0d642570c1dcfd4b339037d19 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 17 Jan 2021 10:53:19 -0800
+Subject: [PATCH] Don't allocate a group terminator unless we are in a
+ group-list.
+
+This will reduce memory allocation for garbage/spam address lists.
+
+It also makes no sense to store a terminator when there wasn't a
+display-name indicating the start of a group.
+
+[Retrieved from:
+https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-2.patch?h=import/1.14.6-1ubuntu0.2]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ rfc822.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+Index: mutt-1.14.6/rfc822.c
+===================================================================
+--- mutt-1.14.6.orig/rfc822.c
+++ mutt-1.14.6/rfc822.c
+@@ -378,7 +378,7 @@ add_addrspec (ADDRESS **top, ADDRESS **l
+ 
+ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s)
+ {
+-  int ws_pending, nl;
+  int ws_pending, nl, in_group = 0;
+ #ifdef EXACT_ADDRESS
+   const char *begin;
+ #endif
+@@ -455,6 +455,7 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
+       terminate_buffer (phrase, phraselen);
+       cur->mailbox = safe_strdup (phrase);
+       cur->group = 1;
+      in_group = 1;
+ 
+       if (last)
+ 	last->next = cur;
+@@ -491,11 +492,12 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
+ #endif
+ 
+       /* add group terminator */
+-      if (last)
+      if (last && in_group)
+       {
+ 	last->next = rfc822_new_address ();
+ 	last = last->next;
+       }
+      in_group = 0;
+ 
+       phraselen = 0;
+       commentlen = 0;
--- a/package/mutt/0004-CVE-2021-3181-3.patch
+++ b/package/mutt/0004-CVE-2021-3181-3.patch
@ -0,0 +1,30 @@
+From d4305208955c5cdd9fe96dfa61e7c1e14e176a14 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 17 Jan 2021 11:05:36 -0800
+Subject: [PATCH] Add group terminator if it is left off.
+
+If there is no terminating ";" add one to the list, to make the text
+re-rendering correct.
+
+[Retrieved from:
+https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-3.patch?h=import/1.14.6-1ubuntu0.2]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ rfc822.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: mutt-1.14.6/rfc822.c
+===================================================================
+--- mutt-1.14.6.orig/rfc822.c
+++ mutt-1.14.6/rfc822.c
+@@ -560,6 +560,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
+     last->val = mutt_substrdup (begin, s - nl < begin ? begin : s - nl);
+ #endif
+ 
+  /* add group terminator, if it was left off */
+  if (last && in_group)
+    last->next = rfc822_new_address ();
+
+   return top;
+ }
+ 
--- a/package/mutt/mutt.mk
+++ b/package/mutt/mutt.mk
@ -15,6 +15,11 @@ MUTT_CONF_OPTS = --disable-doc --disable-smtp
 # 0001-Ensure-IMAP-connection-is-closed-after-a-connection-error.patch
 MUTT_IGNORE_CVES += CVE-2020-28896

+# 0002-CVE-2021-3181-1.patch
+# 0003-CVE-2021-3181-2.patch
+# 0004-CVE-2021-3181-3.patch
+MUTT_IGNORE_CVES += CVE-2021-3181
+
 ifeq ($(BR2_PACKAGE_LIBICONV),y)
 MUTT_DEPENDENCIES += libiconv
 MUTT_CONF_OPTS += --enable-iconv