Hello community, here is the log from the commit of package mutt for openSUSE:Factory checked in at 2014-12-16 14:48:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mutt (Old) and /work/SRC/openSUSE:Factory/.mutt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mutt" Changes: -------- --- /work/SRC/openSUSE:Factory/mutt/mutt.changes 2014-11-24 11:09:15.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mutt.new/mutt.changes 2014-12-16 14:47:30.000000000 +0100 @@ -1,0 +2,6 @@ +Thu Dec 4 12:03:10 UTC 2014 - wer...@suse.de + +- Add patch bsc907453-CVE-2014-9116-jessie.patch to fix bsc#907453 + CVE-2014-9116: heap-based buffer overflow in mutt_substrdup() + +------------------------------------------------------------------- New: ---- bsc907453-CVE-2014-9116-jessie.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mutt.spec ++++++ --- /var/tmp/diff_new_pack.VQX0rR/_old 2014-12-16 14:47:33.000000000 +0100 +++ /var/tmp/diff_new_pack.VQX0rR/_new 2014-12-16 14:47:33.000000000 +0100 @@ -107,6 +107,8 @@ Patch17: mutt-CVE-2014-0467.patch # PATCH-FIX-OPENSUSE bnc#899712 - fallback mailcap for e.g text/html Patch18: mutt-1.5.21-mailcap.diff +# PATCH-FIX-SUSE: bsc#907453 - CVE-2014-9116: mutt: heap-based buffer overflow in mutt_substrdup() +Patch19: bsc907453-CVE-2014-9116-jessie.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir %{_sysconfdir} @@ -141,6 +143,7 @@ %patch16 -p0 -b .crlf %patch17 -p1 -b .cve.2014.0467 %patch18 -p1 -b .mailcap +%patch19 -p1 -b .cvw2014.9116 cp doc/Muttrc Muttrc.SuSE cp %{S:2} . ++++++ bsc907453-CVE-2014-9116-jessie.patch ++++++ This patch solves the issue raised by CVE-2014-9116 in bug 771125. We correctly redefine what are the whitespace characters as per RFC5322; by doing so we prevent mutt_substrdup from being used in a way that could lead to a segfault. The lib.c part was written by Antonio Radici <anto...@debian.org> to prevent crashes due to this kind of bugs from happening again. The wheezy version of this patch is slightly different, therefore this patch has -jessie prefixed in its name. Index: mutt/lib.c =================================================================== --- mutt/lib.c +++ mutt/lib.c @@ -819,6 +819,9 @@ char *mutt_substrdup (const char *begin, size_t len; char *p; + if (end != NULL && end < begin) + return NULL; + if (end) len = end - begin; else Index: mutt/sendlib.c =================================================================== --- mutt/sendlib.c +++ mutt/sendlib.c @@ -1814,7 +1814,11 @@ static int write_one_header (FILE *fp, i { tagbuf = mutt_substrdup (start, t); ++t; /* skip over the colon separating the header field name and value */ - SKIPWS(t); /* skip over any leading whitespace */ + + /* skip over any leading whitespace (WSP, as defined in RFC5322) */ + while (*t == ' ' || *t == '\t') + t++; + valbuf = mutt_substrdup (t, end); } dprint(4,(debugfile,"mwoh: buf[%s%s] too long, " -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org