Bug#772074: unblock: mutt/1.5.23-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mutt
This version includes a better patch for the mutt CVE which does not compromise
the functionality of mutt.
debdiff attached
unblock mutt/1.5.23-3
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru mutt-1.5.23/debian/changelog mutt-1.5.23/debian/changelog
--- mutt-1.5.23/debian/changelog 2014-11-29 18:40:59.000000000 +0000
+++ mutt-1.5.23/debian/changelog 2014-12-04 21:11:02.000000000 +0000
@@ -1,3 +1,11 @@
+mutt (1.5.23-3) unstable; urgency=medium
+
+ * Fixed upstream/771125-CVE-2014-9116-jessie.patch thanks to Salvatore
+ Bonaccorso; now it correctly fixes the CVE and does not affect other
+ functionalities of mutt (Closes: 771674)
+
+ -- Antonio Radici <antonio@dyne.org> Thu, 04 Dec 2014 21:09:07 +0000
+
mutt (1.5.23-2) unstable; urgency=medium
* Created upstream/771125-CVE-2014-9116-jessie.patch to address
diff -Nru mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch
--- mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch 2014-11-29 18:40:59.000000000 +0000
+++ mutt-1.5.23/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch 2014-12-04 21:11:02.000000000 +0000
@@ -10,10 +10,12 @@
The wheezy version of this patch is slightly different, therefore this patch
has -jessie prefixed in its name.
-Index: mutt/lib.c
-===================================================================
---- mutt.orig/lib.c
-+++ mutt/lib.c
+The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as
+the upstream patch reported here:
+http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch
+
+--- a/lib.c
++++ b/lib.c
@@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin,
size_t len;
char *p;
@@ -24,16 +26,19 @@
if (end)
len = end - begin;
else
-Index: mutt/lib.h
-===================================================================
---- mutt.orig/lib.h
-+++ mutt/lib.h
-@@ -98,7 +98,7 @@
- on some systems */
- # define SKIPWS(c) while (*(c) && isspace ((unsigned char) *(c))) c++;
-
--#define EMAIL_WSP " \t\r\n"
-+#define EMAIL_WSP " \t\r"
-
- /* skip over WSP as defined by RFC5322. This is used primarily for parsing
- * header fields. */
+--- a/sendlib.c
++++ b/sendlib.c
+@@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i
+ {
+ tagbuf = mutt_substrdup (start, t);
+ /* skip over the colon separating the header field name and value */
+- t = skip_email_wsp(t + 1);
++ ++t;
++
++ /* skip over any leading whitespace (WSP, as defined in RFC5322) */
++ while (*t == ' ' || *t == '\t')
++ t++;
++
+ valbuf = mutt_substrdup (t, end);
+ }
+ dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
Reply to: