[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1010058: bullseye-pu: package mutt/2.0.5-4.1+deb11u1



Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org,antonio@debian.org

Hi SRM'ers, hi Antonio

I prepared an update for mutt, fixing CVE-2022-1328, a buffer-overflow
in uudecoder.

Performed a manual test with the poc mbox provided by Tavis in
https://gitlab.com/muttmua/mutt/-/issues/404 .

Attached is the debdiff respectively for the upload.

Regards,
Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog
--- mutt-2.0.5/debian/changelog	2021-06-06 21:11:36.000000000 +0200
+++ mutt-2.0.5/debian/changelog	2022-04-23 14:44:09.000000000 +0200
@@ -1,3 +1,10 @@
+mutt (2.0.5-4.1+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix uudecode buffer overflow (CVE-2022-1328) (Closes: #1009734)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 23 Apr 2022 14:44:09 +0200
+
 mutt (2.0.5-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series
--- mutt-2.0.5/debian/patches/series	2021-06-06 21:11:36.000000000 +0200
+++ mutt-2.0.5/debian/patches/series	2022-04-23 14:44:09.000000000 +0200
@@ -14,3 +14,4 @@
 upstream/980924-updated-german-translation.patch
 upstream/985152-body-color-slowness.patch
 upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
+upstream/Fix-uudecode-buffer-overflow.patch
diff -Nru mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch
--- mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch	2022-04-23 14:44:09.000000000 +0200
@@ -0,0 +1,43 @@
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Tue, 5 Apr 2022 11:05:52 -0700
+Subject: Fix uudecode buffer overflow.
+Origin: https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5
+Bug: https://gitlab.com/muttmua/mutt/-/issues/404
+Bug-Debian: https://bugs.debian.org/1009734
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-1328
+
+mutt_decode_uuencoded() used each line's initial "length character"
+without any validation.  It would happily read past the end of the
+input line, and with a suitable value even past the length of the
+input buffer.
+
+As I noted in ticket 404, there are several other changes that could
+be added to make the parser more robust.  However, to avoid
+accidentally introducing another bug or regression, I'm restricting
+this patch to simply addressing the overflow.
+
+Thanks to Tavis Ormandy for reporting the issue, along with a sample
+message demonstrating the problem.
+---
+ handler.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/handler.c b/handler.c
+index d1b4bc73a58f..c97cf0cb527e 100644
+--- a/handler.c
++++ b/handler.c
+@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
+     pt = tmps;
+     linelen = decode_byte (*pt);
+     pt++;
+-    for (c = 0; c < linelen;)
++    for (c = 0; c < linelen && *pt;)
+     {
+-      for (l = 2; l <= 6; l += 2)
++      for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
+       {
+ 	out = decode_byte (*pt) << l;
+ 	pt++;
+-- 
+2.35.2
+

Reply to: