Bug#929017: mutt: undefined behavior on huge integer in a RFC 2231 header

Sat, 25 May 2019 02:09:27 -0700 

tags 929017 + pending patch
thanks

I've uploaded mutt 1.10.1-2.1 to DELAYED/5:
  
  mutt (1.10.1-2.1) unstable; urgency=medium
  
    * Non-maintainer upload.
    * Apply patch from upstream to prevent undefined behaviour when
      parsing invalid Content-Disposition mail headers. The atoi() function was
      being called on a number which can potentially overflow and thus can have
      security implications depending on the atoi() implementation.
      (Closes: #929017)

The full debdiff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diffstat for mutt-1.10.1 mutt-1.10.1

 changelog                                             |   11 +++++++++++
 patches/series                                        |    1 +
 patches/upstream/929017-atoi-undefined-behavior.patch |   18 ++++++++++++++++++
 3 files changed, 30 insertions(+)

diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog
--- mutt-1.10.1/debian/changelog        2018-08-07 09:31:52.000000000 +0100
+++ mutt-1.10.1/debian/changelog        2019-05-25 09:57:12.000000000 +0100
@@ -1,3 +1,14 @@
+mutt (1.10.1-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply patch from upstream to prevent undefined behaviour when
+    parsing invalid Content-Disposition mail headers. The atoi() function was
+    being called on a number which can potentially overflow and thus can have
+    security implications depending on the atoi() implementation.
+    (Closes: #929017)
+
+ -- Chris Lamb <la...@debian.org>  Sat, 25 May 2019 09:57:12 +0100
+
 mutt (1.10.1-2) unstable; urgency=low
 
   [ Jonathan Nieder ]
diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series
--- mutt-1.10.1/debian/patches/series   2018-08-07 09:31:15.000000000 +0100
+++ mutt-1.10.1/debian/patches/series   2019-05-25 09:57:12.000000000 +0100
@@ -12,3 +12,4 @@
 upstream/905551-oauthbearer-imap.patch
 upstream/905551-oauthbearer-smtp.patch
 upstream/905551-oauthbearer-refresh.patch
+upstream/929017-atoi-undefined-behavior.patch
diff -Nru 
mutt-1.10.1/debian/patches/upstream/929017-atoi-undefined-behavior.patch 
mutt-1.10.1/debian/patches/upstream/929017-atoi-undefined-behavior.patch
--- mutt-1.10.1/debian/patches/upstream/929017-atoi-undefined-behavior.patch    
1970-01-01 01:00:00.000000000 +0100
+++ mutt-1.10.1/debian/patches/upstream/929017-atoi-undefined-behavior.patch    
2019-05-25 09:57:12.000000000 +0100
@@ -0,0 +1,18 @@
+https://gitlab.com/muttmua/mutt/commit/3b6f6b829718ec8a7cf3eb6997d86e83e6c38567
+
+--- mutt-1.10.1.orig/rfc2231.c
++++ mutt-1.10.1/rfc2231.c
+@@ -147,7 +147,12 @@ void rfc2231_decode_parameters (PARAMETE
+       encoded = (*t == '*');
+       *t = '\0';
+ 
+-      index = atoi (s);
++      /* RFC 2231 says that the index starts at 0 and increments by 1,
++         thus an overflow should never occur in a valid message, thus
++         the value INT_MAX in case of overflow does not really matter
++         (the goal is just to avoid undefined behavior). */
++      if (mutt_atoi (s, &index))
++        index = INT_MAX;
+ 
+       conttmp = rfc2231_new_parameter ();
+       conttmp->attribute = p->attribute;

Reply via email to