File CVE-2023-4874-part1.patch of Package mutt

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-4874-part1.patch of Package mutt

From a4752eb0ae0a521eec02e59e51ae5daedf74fda0 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 3 Sep 2023 14:11:48 +0800
Subject: [PATCH] Fix write_one_header() illegal header check.

This is another crash caused by the rfc2047 decoding bug fixed in the
second prior commit.

In this case, an empty header line followed by a header line starting
with ":", would result in t==end.

The mutt_substrdup() further below would go very badly at that point,
with t >= end+1.  This could result in either a memcpy onto NULL or a
huge malloc call.

Thanks to Chenyuan Mi (@morningbread) for giving a working example
draft message of the rfc2047 decoding flaw.  This allowed me, with
further testing, to discover this additional crash bug.
---
 sendlib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sendlib.c b/sendlib.c
--- a/sendlib.c
+++ b/sendlib.c
@@ -1832,7 +1832,7 @@ static int write_one_header (FILE *fp, i
   else
   {
     t = strchr (start, ':');
-    if (!t || t > end)
+    if (!t || t >= end)
     {
       dprint (1, (debugfile, "mwoh: warning: header not in "
 		  "'key: value' format!\n"));

Places

File CVE-2023-4874-part1.patch of Package mutt

Places