Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mutt This version includes a better patch for the mutt CVE which does not compromise the functionality of mutt. debdiff attached unblock mutt/1.5.23-3 -- System Information: Debian Release: 7.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru mutt-1.5.23/debian/changelog mutt-1.5.23/debian/changelog --- mutt-1.5.23/debian/changelog 2014-11-29 18:40:59.000000000 +0000 +++ mutt-1.5.23/debian/changelog 2014-12-04 21:11:02.000000000 +0000 @@ -1,3 +1,11 @@ +mutt (1.5.23-3) unstable; urgency=medium + + * Fixed upstream/771125-CVE-2014-9116-jessie.patch thanks to Salvatore + Bonaccorso; now it correctly fixes the CVE and does not affect other + functionalities of mutt (Closes: 771674) + + -- Antonio Radici <anto...@dyne.org> Thu, 04 Dec 2014 21:09:07 +0000 + mutt (1.5.23-2) unstable; urgency=medium * Created upstream/771125-CVE-2014-9116-jessie.patch to address diff -Nru mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch --- mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch 2014-11-29 18:40:59.000000000 +0000 +++ mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch 2014-12-04 21:11:02.000000000 +0000 @@ -10,10 +10,12 @@ The wheezy version of this patch is slightly different, therefore this patch has -jessie prefixed in its name. -Index: mutt/lib.c -=================================================================== ---- mutt.orig/lib.c -+++ mutt/lib.c +The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as +the upstream patch reported here: +http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch + +--- a/lib.c ++++ b/lib.c @@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin, size_t len; char *p; @@ -24,16 +26,19 @@ if (end) len = end - begin; else -Index: mutt/lib.h -=================================================================== ---- mutt.orig/lib.h -+++ mutt/lib.h -@@ -98,7 +98,7 @@ - on some systems */ - # define SKIPWS(c) while (*(c) && isspace ((unsigned char) *(c))) c++; - --#define EMAIL_WSP " \t\r\n" -+#define EMAIL_WSP " \t\r" - - /* skip over WSP as defined by RFC5322. This is used primarily for parsing - * header fields. */ +--- a/sendlib.c ++++ b/sendlib.c +@@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i + { + tagbuf = mutt_substrdup (start, t); + /* skip over the colon separating the header field name and value */ +- t = skip_email_wsp(t + 1); ++ ++t; ++ ++ /* skip over any leading whitespace (WSP, as defined in RFC5322) */ ++ while (*t == ' ' || *t == '\t') ++ t++; ++ + valbuf = mutt_substrdup (t, end); + } + dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "