kumquat-buildroot/package/mutt/0002-CVE-2021-3181-1.patch
Peter Korsgaard c1413cd94c package/mutt: add security fixes from Ubuntu for CVE-2021-3181
Fixes the following security issue:

- CVE-2021-3181: rfc822.c in Mutt through 2.0.4 allows remote attackers to
  cause a denial of service (mailbox unavailability) by sending email
  messages with sequences of semicolon characters in RFC822 address fields
  (aka terminators of empty groups).  A small email message from the
  attacker can cause large memory consumption, and the victim may then be
  unable to see email messages from other persons.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-29 09:30:02 +01:00

41 lines
1.3 KiB
Diff

From 4a2becbdb4422aaffe3ce314991b9d670b7adf17 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 17 Jan 2021 10:40:37 -0800
Subject: [PATCH] Fix memory leak parsing group addresses without a display
name.
When there was a group address terminator with no previous
addresses (including the group display-name), an address would be
allocated but not attached to the address list.
Change this to only allocate when last exists.
It would be more correct to not allocate at all unless we are inside a
group list, but I will address that in a separate commit to master.
[Retrieved from:
https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-1.patch?h=import/1.14.6-1ubuntu0.2]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
rfc822.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
Index: mutt-1.14.6/rfc822.c
===================================================================
--- mutt-1.14.6.orig/rfc822.c
+++ mutt-1.14.6/rfc822.c
@@ -491,11 +491,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
#endif
/* add group terminator */
- cur = rfc822_new_address ();
if (last)
{
- last->next = cur;
- last = cur;
+ last->next = rfc822_new_address ();
+ last = last->next;
}
phraselen = 0;