+++ /dev/null
-From 04b06aaa3e0cc0022b9b01dbca2863756ebbf59a Mon Sep 17 00:00:00 2001
-From: Kevin McCarthy <kevin@8t8.us>
-Date: Mon, 16 Nov 2020 10:20:21 -0800
-Subject: [PATCH] Ensure IMAP connection is closed after a connection error.
-
-During connection, if the server provided an illegal initial response,
-Mutt "bailed", but did not actually close the connection. The calling
-code unfortunately relied on the connection status to decide to
-continue with authentication, instead of checking the "bail" return
-value.
-
-This could result in authentication credentials being sent over an
-unencrypted connection, without $ssl_force_tls being consulted.
-
-Fix this by strictly closing the connection on any invalid response
-during connection. The fix is intentionally small, to ease
-backporting. A better fix would include removing the 'err_close_conn'
-label, and perhaps adding return value checking in the caller (though
-this change obviates the need for that).
-
-This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for
-reporting the problem, and providing test cases to reproduce.
-
-[Retrieved from:
-https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- imap/imap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/imap/imap.c b/imap/imap.c
-index b24e8a3f..b13dd54d 100644
---- a/imap/imap.c
-+++ b/imap/imap.c
-@@ -561,9 +561,9 @@ int imap_open_connection (IMAP_DATA* idata)
-
- #if defined(USE_SSL)
- err_close_conn:
-- imap_close_connection (idata);
- #endif
- bail:
-+ imap_close_connection (idata);
- FREE (&idata->capstr);
- return -1;
- }
---
-GitLab
-
+++ /dev/null
-From 4a2becbdb4422aaffe3ce314991b9d670b7adf17 Mon Sep 17 00:00:00 2001
-From: Kevin McCarthy <kevin@8t8.us>
-Date: Sun, 17 Jan 2021 10:40:37 -0800
-Subject: [PATCH] Fix memory leak parsing group addresses without a display
- name.
-
-When there was a group address terminator with no previous
-addresses (including the group display-name), an address would be
-allocated but not attached to the address list.
-
-Change this to only allocate when last exists.
-
-It would be more correct to not allocate at all unless we are inside a
-group list, but I will address that in a separate commit to master.
-
-[Retrieved from:
-https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-1.patch?h=import/1.14.6-1ubuntu0.2]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- rfc822.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-Index: mutt-1.14.6/rfc822.c
-===================================================================
---- mutt-1.14.6.orig/rfc822.c
-+++ mutt-1.14.6/rfc822.c
-@@ -491,11 +491,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
- #endif
-
- /* add group terminator */
-- cur = rfc822_new_address ();
- if (last)
- {
-- last->next = cur;
-- last = cur;
-+ last->next = rfc822_new_address ();
-+ last = last->next;
- }
-
- phraselen = 0;
+++ /dev/null
-From 939b02b33ae29bc0d642570c1dcfd4b339037d19 Mon Sep 17 00:00:00 2001
-From: Kevin McCarthy <kevin@8t8.us>
-Date: Sun, 17 Jan 2021 10:53:19 -0800
-Subject: [PATCH] Don't allocate a group terminator unless we are in a
- group-list.
-
-This will reduce memory allocation for garbage/spam address lists.
-
-It also makes no sense to store a terminator when there wasn't a
-display-name indicating the start of a group.
-
-[Retrieved from:
-https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-2.patch?h=import/1.14.6-1ubuntu0.2]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- rfc822.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-Index: mutt-1.14.6/rfc822.c
-===================================================================
---- mutt-1.14.6.orig/rfc822.c
-+++ mutt-1.14.6/rfc822.c
-@@ -378,7 +378,7 @@ add_addrspec (ADDRESS **top, ADDRESS **l
-
- ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s)
- {
-- int ws_pending, nl;
-+ int ws_pending, nl, in_group = 0;
- #ifdef EXACT_ADDRESS
- const char *begin;
- #endif
-@@ -455,6 +455,7 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
- terminate_buffer (phrase, phraselen);
- cur->mailbox = safe_strdup (phrase);
- cur->group = 1;
-+ in_group = 1;
-
- if (last)
- last->next = cur;
-@@ -491,11 +492,12 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
- #endif
-
- /* add group terminator */
-- if (last)
-+ if (last && in_group)
- {
- last->next = rfc822_new_address ();
- last = last->next;
- }
-+ in_group = 0;
-
- phraselen = 0;
- commentlen = 0;
+++ /dev/null
-From d4305208955c5cdd9fe96dfa61e7c1e14e176a14 Mon Sep 17 00:00:00 2001
-From: Kevin McCarthy <kevin@8t8.us>
-Date: Sun, 17 Jan 2021 11:05:36 -0800
-Subject: [PATCH] Add group terminator if it is left off.
-
-If there is no terminating ";" add one to the list, to make the text
-re-rendering correct.
-
-[Retrieved from:
-https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-3.patch?h=import/1.14.6-1ubuntu0.2]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- rfc822.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-Index: mutt-1.14.6/rfc822.c
-===================================================================
---- mutt-1.14.6.orig/rfc822.c
-+++ mutt-1.14.6/rfc822.c
-@@ -560,6 +560,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *
- last->val = mutt_substrdup (begin, s - nl < begin ? begin : s - nl);
- #endif
-
-+ /* add group terminator, if it was left off */
-+ if (last && in_group)
-+ last->next = rfc822_new_address ();
-+
- return top;
- }
-
# Locally calculated
-sha256 e4f507b133253cb5eef27996b8668956cdf9caac622cf8adad13f0f9a4eda864 mutt-1.14.7.tar.gz
+sha256 81e31c45895fd624747f19106aa2697d2aa135049ff2e9e9db0a6ed876bcb598 mutt-2.0.6.tar.gz
sha256 732f24b69a6c71cd8e01e4672bb8e12cc1cbb88a50a4665e6ca4fd95000a57ee GPL
#
################################################################################
-MUTT_VERSION = 1.14.7
+MUTT_VERSION = 2.0.6
MUTT_SITE = https://bitbucket.org/mutt/mutt/downloads
MUTT_LICENSE = GPL-2.0+
MUTT_LICENSE_FILES = GPL
MUTT_DEPENDENCIES = ncurses
MUTT_CONF_OPTS = --disable-doc --disable-smtp
-# 0001-Ensure-IMAP-connection-is-closed-after-a-connection-error.patch
-MUTT_IGNORE_CVES += CVE-2020-28896
-
-# 0002-CVE-2021-3181-1.patch
-# 0003-CVE-2021-3181-2.patch
-# 0004-CVE-2021-3181-3.patch
-MUTT_IGNORE_CVES += CVE-2021-3181
-
ifeq ($(BR2_PACKAGE_LIBICONV),y)
MUTT_DEPENDENCIES += libiconv
MUTT_CONF_OPTS += --enable-iconv
projects / buildroot.git / commitdiff