From c1413cd94c9bc953613b8d2578202240c234f34c Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Thu, 28 Jan 2021 21:49:40 +0100 Subject: [PATCH] package/mutt: add security fixes from Ubuntu for CVE-2021-3181 Fixes the following security issue: - CVE-2021-3181: rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons. Signed-off-by: Peter Korsgaard --- package/mutt/0002-CVE-2021-3181-1.patch | 40 +++++++++++++++++++ package/mutt/0003-CVE-2021-3181-2.patch | 53 +++++++++++++++++++++++++ package/mutt/0004-CVE-2021-3181-3.patch | 30 ++++++++++++++ package/mutt/mutt.mk | 5 +++ 4 files changed, 128 insertions(+) create mode 100644 package/mutt/0002-CVE-2021-3181-1.patch create mode 100644 package/mutt/0003-CVE-2021-3181-2.patch create mode 100644 package/mutt/0004-CVE-2021-3181-3.patch diff --git a/package/mutt/0002-CVE-2021-3181-1.patch b/package/mutt/0002-CVE-2021-3181-1.patch new file mode 100644 index 0000000000..cbb12cf2f2 --- /dev/null +++ b/package/mutt/0002-CVE-2021-3181-1.patch @@ -0,0 +1,40 @@ +From 4a2becbdb4422aaffe3ce314991b9d670b7adf17 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Sun, 17 Jan 2021 10:40:37 -0800 +Subject: [PATCH] Fix memory leak parsing group addresses without a display + name. + +When there was a group address terminator with no previous +addresses (including the group display-name), an address would be +allocated but not attached to the address list. + +Change this to only allocate when last exists. + +It would be more correct to not allocate at all unless we are inside a +group list, but I will address that in a separate commit to master. + +[Retrieved from: +https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-1.patch?h=import/1.14.6-1ubuntu0.2] +Signed-off-by: Peter Korsgaard +--- + rfc822.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +Index: mutt-1.14.6/rfc822.c +=================================================================== +--- mutt-1.14.6.orig/rfc822.c ++++ mutt-1.14.6/rfc822.c +@@ -491,11 +491,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS * + #endif + + /* add group terminator */ +- cur = rfc822_new_address (); + if (last) + { +- last->next = cur; +- last = cur; ++ last->next = rfc822_new_address (); ++ last = last->next; + } + + phraselen = 0; diff --git a/package/mutt/0003-CVE-2021-3181-2.patch b/package/mutt/0003-CVE-2021-3181-2.patch new file mode 100644 index 0000000000..c3184a40ed --- /dev/null +++ b/package/mutt/0003-CVE-2021-3181-2.patch @@ -0,0 +1,53 @@ +From 939b02b33ae29bc0d642570c1dcfd4b339037d19 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Sun, 17 Jan 2021 10:53:19 -0800 +Subject: [PATCH] Don't allocate a group terminator unless we are in a + group-list. + +This will reduce memory allocation for garbage/spam address lists. + +It also makes no sense to store a terminator when there wasn't a +display-name indicating the start of a group. + +[Retrieved from: +https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-2.patch?h=import/1.14.6-1ubuntu0.2] +Signed-off-by: Peter Korsgaard +--- + rfc822.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: mutt-1.14.6/rfc822.c +=================================================================== +--- mutt-1.14.6.orig/rfc822.c ++++ mutt-1.14.6/rfc822.c +@@ -378,7 +378,7 @@ add_addrspec (ADDRESS **top, ADDRESS **l + + ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s) + { +- int ws_pending, nl; ++ int ws_pending, nl, in_group = 0; + #ifdef EXACT_ADDRESS + const char *begin; + #endif +@@ -455,6 +455,7 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS * + terminate_buffer (phrase, phraselen); + cur->mailbox = safe_strdup (phrase); + cur->group = 1; ++ in_group = 1; + + if (last) + last->next = cur; +@@ -491,11 +492,12 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS * + #endif + + /* add group terminator */ +- if (last) ++ if (last && in_group) + { + last->next = rfc822_new_address (); + last = last->next; + } ++ in_group = 0; + + phraselen = 0; + commentlen = 0; diff --git a/package/mutt/0004-CVE-2021-3181-3.patch b/package/mutt/0004-CVE-2021-3181-3.patch new file mode 100644 index 0000000000..42d0cbaef5 --- /dev/null +++ b/package/mutt/0004-CVE-2021-3181-3.patch @@ -0,0 +1,30 @@ +From d4305208955c5cdd9fe96dfa61e7c1e14e176a14 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Sun, 17 Jan 2021 11:05:36 -0800 +Subject: [PATCH] Add group terminator if it is left off. + +If there is no terminating ";" add one to the list, to make the text +re-rendering correct. + +[Retrieved from: +https://git.launchpad.net/ubuntu/+source/mutt/plain/debian/patches/CVE-2021-3181-3.patch?h=import/1.14.6-1ubuntu0.2] +Signed-off-by: Peter Korsgaard +--- + rfc822.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: mutt-1.14.6/rfc822.c +=================================================================== +--- mutt-1.14.6.orig/rfc822.c ++++ mutt-1.14.6/rfc822.c +@@ -560,6 +560,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS * + last->val = mutt_substrdup (begin, s - nl < begin ? begin : s - nl); + #endif + ++ /* add group terminator, if it was left off */ ++ if (last && in_group) ++ last->next = rfc822_new_address (); ++ + return top; + } + diff --git a/package/mutt/mutt.mk b/package/mutt/mutt.mk index 0823e8afc0..c2188cebea 100644 --- a/package/mutt/mutt.mk +++ b/package/mutt/mutt.mk @@ -15,6 +15,11 @@ MUTT_CONF_OPTS = --disable-doc --disable-smtp # 0001-Ensure-IMAP-connection-is-closed-after-a-connection-error.patch MUTT_IGNORE_CVES += CVE-2020-28896 +# 0002-CVE-2021-3181-1.patch +# 0003-CVE-2021-3181-2.patch +# 0004-CVE-2021-3181-3.patch +MUTT_IGNORE_CVES += CVE-2021-3181 + ifeq ($(BR2_PACKAGE_LIBICONV),y) MUTT_DEPENDENCIES += libiconv MUTT_CONF_OPTS += --enable-iconv -- 2.30.2