Bug#1051563: Backporting mutt patches to Debian Buster

[Chris Frey]

On Wed, Sep 20, 2023 at 02:35:30PM -0300, Santiago Ruano Rincón wrote:
> I kept the original From, tagged the Origin as backport, and kept your
> name as Author.
> Hope that makes sense for you.
> 
> Thanks a lot for your work!

I saw it percolate through the updates today.  Thanks very much!

- Chris

Bug#1051563: Backporting mutt patches to Debian Buster

[Santiago Ruano Rincón]

Hi Chris,

El 17/09/23 a las 21:56, Chris Frey escribió:
> On Sun, Sep 17, 2023 at 08:34:57PM +0300, Santiago Ruano Rincón wrote:
> > Chris, thanks for preparing the patches. Much appreciated. I have a
> > question though: Why are you placing those two patches in
> > debian-specific, and not in upstream/? They come from the upstream repo.
> 
> I only put them there because I had to modify them for a clean patch.

I consider placing them in debian-specific is a little
counter-intuitive. However, buster already contained a
debian/patches/security, and I have placed there.

> I changed the headers to make it clear that I edited them, but kept
> the original wording as well.

That is not how I interpret DEP-3. I restored the headers structure and
uploaded the package. Will send the DLA soon!

> 
> I didn't think it was right to modify the patch contents without
> changing the name of who did it.

I kept the original From, tagged the Origin as backport, and kept your
name as Author.
Hope that makes sense for you.

Thanks a lot for your work!

 -- Santiago


signature.asc
Description: PGP signature

Bug#1051563: Backporting mutt patches to Debian Buster

[Chris Frey]

On Sun, Sep 17, 2023 at 08:34:57PM +0300, Santiago Ruano Rincón wrote:
> Chris, thanks for preparing the patches. Much appreciated. I have a
> question though: Why are you placing those two patches in
> debian-specific, and not in upstream/? They come from the upstream repo.

I only put them there because I had to modify them for a clean patch.
I changed the headers to make it clear that I edited them, but kept
the original wording as well.

I didn't think it was right to modify the patch contents without
changing the name of who did it.

- Chris

Bug#1051563: Backporting mutt patches to Debian Buster

[Santiago Ruano Rincón]

hi!

El 16/09/23 a las 15:44, Utkarsh Gupta escribió:
> Hi Chris,
> 
> On Fri, Sep 15, 2023 at 8:09 PM Chris Frey  wrote:
> > Attached is a patch that applies to the unpackaged sources of Debian 
> > Buster's
> > version of mutt 1.10.
> >
> > It includes 3 patches:
> >
> > upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch
> > debian-specific/Check-for-NULL-userhdrs.patch
> > debian-specific/Fix-write_one_header-illegal-header-check.patch
> >
> > First one applied from Bullseye.  The other two I modified slightly
> > to match the older sources.
> 
> Many thanks, as usual. I'll look into it and let you know if we hit a
> bump backporting it.

Utkarsh, I have claimed mutt in both {d,e}la-needed, and started to work
preparing the repo. I am also OK if you want to finish the work.

Chris, thanks for preparing the patches. Much appreciated. I have a
question though: Why are you placing those two patches in
debian-specific, and not in upstream/? They come from the upstream repo.

Cheers!

 -- Santiago


signature.asc
Description: PGP signature

Bug#1051563: Backporting mutt patches to Debian Buster

[Utkarsh Gupta]

Hi Chris,

On Fri, Sep 15, 2023 at 8:09 PM Chris Frey  wrote:
> Attached is a patch that applies to the unpackaged sources of Debian Buster's
> version of mutt 1.10.
>
> It includes 3 patches:
>
> upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch
> debian-specific/Check-for-NULL-userhdrs.patch
> debian-specific/Fix-write_one_header-illegal-header-check.patch
>
> First one applied from Bullseye.  The other two I modified slightly
> to match the older sources.

Many thanks, as usual. I'll look into it and let you know if we hit a
bump backporting it.


- u

Bug#1051563: Backporting mutt patches to Debian Buster

[Chris Frey]

Attached is a patch that applies to the unpackaged sources of Debian Buster's
version of mutt 1.10.

It includes 3 patches:

upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch
debian-specific/Check-for-NULL-userhdrs.patch
debian-specific/Fix-write_one_header-illegal-header-check.patch

First one applied from Bullseye.  The other two I modified slightly
to match the older sources.

The CVE's make mention of "specially crafted input" but I don't have
any samples to test with.  I only tested that this built on Buster and
opens mail as before.

I have not adjusted any other files but the 3 above and debian/patches/series.
Hopefully this gives a head start on making these fixes available on buster.

- Chris

diff --git a/debian/patches/debian-specific/Check-for-NULL-userhdrs.patch b/debian/patches/debian-specific/Check-for-NULL-userhdrs.patch
new file mode 100644
index 000..33f5cb5
--- /dev/null
+++ b/debian/patches/debian-specific/Check-for-NULL-userhdrs.patch
@@ -0,0 +1,56 @@
+From: Chris Frey 
+Date: Fri, 15 Sep 2023 08:41:00 -0400
+Subject: Check for NULL userhdrs.
+Bug-Debian: https://bugs.debian.org/1051563
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4875
+
+The original patch from Kevin McCarthy backported to Debian buster's
+mutt version 1.10.1-2.1+deb10u6.
+
+Original summary below:
+
+ From: Kevin McCarthy 
+ Date: Mon, 4 Sep 2023 12:50:07 +0800
+ Subject: Check for NULL userhdrs.
+ Origin: https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6
+
+ When composing an email, miscellaneous extra headers are stored in a
+ userhdrs list.  Mutt first checks to ensure each header contains at
+ least a colon character, passes the entire userhdr field (name, colon,
+ and body) to the rfc2047 decoder, and safe_strdup()'s the result on
+ the userhdrs list.  An empty result would from the decode would result
+ in a NULL headers being added to list.
+
+ The previous commit removed the possibility of the decoded header
+ field being empty, but it's prudent to add a check to the strchr
+ calls, in case there is another unexpected bug resulting in one.
+
+ Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
+ crashes, giving a working example draft message, and providing the
+ stack traces for the two NULL derefences.
+ ---
+  sendlib.c | 4 ++--
+  1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sendlib.c b/sendlib.c
+index f9bf3f9..d75e66a 100644
+--- a/sendlib.c
 b/sendlib.c
+@@ -2070,7 +2070,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach,
+   /* Add any user defined headers */
+   for (; tmp; tmp = tmp->next)
+   {
+-if ((p = strchr (tmp->data, ':')))
++if ((p = strchr (NONULL (tmp->data), ':')))
+ {
+   q = p;
+ 
+@@ -2116,7 +2116,7 @@ static void encode_headers (LIST *h)
+ 
+   for (; h; h = h->next)
+   {
+-if (!(p = strchr (h->data, ':')))
++if (!(p = strchr (NONULL (h->data), ':')))
+   continue;
+ 
+ i = p - h->data;
diff --git a/debian/patches/debian-specific/Fix-write_one_header-illegal-header-check.patch b/debian/patches/debian-specific/Fix-write_one_header-illegal-header-check.patch
new file mode 100644
index 000..8806525
--- /dev/null
+++ b/debian/patches/debian-specific/Fix-write_one_header-illegal-header-check.patch
@@ -0,0 +1,46 @@
+From: Chris Frey 
+Date: Fri, 15 Sep 2023 10:09:00 -0400
+Subject: Fix write_one_header() illegal header check.
+Bug-Debian: https://bugs.debian.org/1051563
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4874
+
+Backporting original patch from Kevin McCarthy to Debian Buster's
+mutt version 1.10.1-2.1+deb10u6.
+
+Original commentary included below:
+
+ From: Kevin McCarthy 
+ Date: Sun, 3 Sep 2023 14:11:48 +0800
+ Subject: Fix write_one_header() illegal header check.
+ Origin: https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0
+
+ This is another crash caused by the rfc2047 decoding bug fixed in the
+ second prior commit.
+
+ In this case, an empty header line followed by a header line starting
+ with ":", would result in t==end.
+
+ The mutt_substrdup() further below would go very badly at that point,
+ with t >= end+1.  This could result in either a memcpy onto NULL or a
+ huge malloc call.
+
+ Thanks to Chenyuan Mi (@morningbread) for giving a working example
+ draft message of the rfc2047 decoding flaw.  This allowed me, with
+ further testing, to discover this additional crash bug.
+ ---
+  sendlib.c | 2 +-
+  1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/sendlib.c b/sendlib.c
+index f9bf3f9..d821061 100644
+--- a/sendlib.c
 b/sendlib.c
+@@ -1832,7 +1832,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
+   else
+   {
+ t = strchr (start, ':');
+-if (!t || t > end)
++if (!t || t >= end)
+ {
+   dprint (1, (debugfile, "mwoh: warning: header not