c1413cd94c
Fixes the following security issue: - CVE-2021-3181: rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
31 lines
974 B
Diff
31 lines
974 B
Diff
From d4305208955c5cdd9fe96dfa61e7c1e14e176a14 Mon Sep 17 00:00:00 2001
|
|
From: Kevin McCarthy <kevin@8t8.us>
|
|
Date: Sun, 17 Jan 2021 11:05:36 -0800
|
|
Subject: [PATCH] Add group terminator if it is left off.
|
|
|
|
If there is no terminating ";" add one to the list, to make the text
|
|
re-rendering correct.
|
|
|
|
[Retrieved from:
|
|
https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-3.patch?h=import/1.14.6-1ubuntu0.2]
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
rfc822.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
Index: mutt-1.14.6/rfc822.c
|
|
===================================================================
|
|
--- mutt-1.14.6.orig/rfc822.c
|
|
+++ mutt-1.14.6/rfc822.c
|
|
@@ -560,6 +560,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
|
|
last->val = mutt_substrdup (begin, s - nl < begin ? begin : s - nl);
|
|
#endif
|
|
|
|
+ /* add group terminator, if it was left off */
|
|
+ if (last && in_group)
|
|
+ last->next = rfc822_new_address ();
|
|
+
|
|
return top;
|
|
}
|
|
|