Fix for: CVE-2023-4874 CVE-2023-4875

Resolves: RHEL-2812

0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch

@@ -0,0 +1,41 @@
+From 96610c6cfa796dc15c5afcf0fd9f9b75869827fe Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 3 Sep 2023 12:22:01 +0800
+Subject: [PATCH] Fix rfc2047 base64 decoding to abort on illegal characters.
+
+For some reason, the rfc2047 base64 decoder ignored illegal
+characters, instead of aborting.  This seems innocuous, but in fact
+leads to at least three crash-bugs elsewhere in Mutt.
+
+These stem from Mutt, in some cases, passing an entire header
+field (name, colon, and body) to the rfc2047 decoder.  (It is
+technically incorrect to do so, by the way, but is beyond scope for
+these fixes in stable).  Mutt then assumes the result can't be empty
+because of a previous check that the header contains at least a colon.
+
+This commit takes care of the source of the crashes, by aborting the
+rfc2047 decode.  The following two commits add protective fixes to the
+specific crash points.
+
+Thanks to Chenyuan Mi (@morningbread) for discovering the strchr
+crashes, giving a working example draft message, and providing the
+stack traces for the two NULL derefences.
+
+(cherry picked from commit 452ee330e094bfc7c9a68555e5152b1826534555)
+---
+ rfc2047.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rfc2047.c b/rfc2047.c
+index 1ce82ebb..36cc76db 100644
+--- a/rfc2047.c
++++ b/rfc2047.c
+@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset)
+ 	    if (*pp == '=')
+ 	      break;
+ 	    if ((*pp & ~127) || (c = base64val(*pp)) == -1)
+-	      continue;
++              goto error_out_0;
+ 	    if (k + 6 >= 8)
+ 	    {
+ 	      k -= 2;

0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch

@@ -0,0 +1,37 @@
+From d75eaee07138aa661b5c8b49242d20ba95894efb Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 3 Sep 2023 14:11:48 +0800
+Subject: [PATCH] (CVE-2023-4874) Fix write_one_header() illegal header check.
+
+This is another crash caused by the rfc2047 decoding bug fixed in the
+second prior commit.
+
+In this case, an empty header line followed by a header line starting
+with ":", would result in t==end.
+
+The mutt_substrdup() further below would go very badly at that point,
+with t >= end+1.  This could result in either a memcpy onto NULL or a
+huge malloc call.
+
+Thanks to Chenyuan Mi (@morningbread) for giving a working example
+draft message of the rfc2047 decoding flaw.  This allowed me, with
+further testing, to discover this additional crash bug.
+
+(cherry picked from commit a4752eb0ae0a521eec02e59e51ae5daedf74fda0)
+---
+ sendlib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sendlib.c b/sendlib.c
+index b0b94b4f..7d2feb62 100644
+--- a/sendlib.c
++++ b/sendlib.c
+@@ -2121,7 +2121,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
+   else
+   {
+     t = strchr (start, ':');
+-    if (!t || t > end)
++    if (!t || t >= end)
+     {
+       dprint (1, (debugfile, "mwoh: warning: header not in "
+ 		  "'key: value' format!\n"));

0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch

@@ -0,0 +1,47 @@
+From d9e00fa1a7c0f30529d71d818a4e1518f1537053 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Mon, 4 Sep 2023 12:50:07 +0800
+Subject: [PATCH] (CVE-2023-4875) Check for NULL userhdrs.
+
+When composing an email, miscellaneous extra headers are stored in a
+userhdrs list.  Mutt first checks to ensure each header contains at
+least a colon character, passes the entire userhdr field (name, colon,
+and body) to the rfc2047 decoder, and safe_strdup()'s the result on
+the userhdrs list.  An empty result would from the decode would result
+in a NULL headers being added to list.
+
+The previous commit removed the possibility of the decoded header
+field being empty, but it's prudent to add a check to the strchr
+calls, in case there is another unexpected bug resulting in one.
+
+Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
+crashes, giving a working example draft message, and providing the
+stack traces for the two NULL derefences.
+
+(cherry picked from commit 4cc3128abdf52c615911589394a03271fddeefc6)
+---
+ sendlib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sendlib.c b/sendlib.c
+index 7d2feb62..ed4d7a25 100644
+--- a/sendlib.c
++++ b/sendlib.c
+@@ -2409,7 +2409,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date,
+   /* Add any user defined headers */
+   for (; tmp; tmp = tmp->next)
+   {
+-    if ((p = strchr (tmp->data, ':')))
++    if ((p = strchr (NONULL (tmp->data), ':')))
+     {
+       q = p;
+ 
+@@ -2457,7 +2457,7 @@ static void encode_headers (LIST *h)
+ 
+   for (; h; h = h->next)
+   {
+-    if (!(p = strchr (h->data, ':')))
++    if (!(p = strchr (NONULL (h->data), ':')))
+       continue;
+ 
+     i = p - h->data;

mutt.spec

@@ -20,7 +20,7 @@
 Summary: A text mode mail user agent
 Name: mutt
 Version: 2.2.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 5
 # The entire source code is GPLv2+ except
 # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@@ -38,6 +38,9 @@ Patch9: mutt-1.9.0-ssl_ciphers.patch
 Patch10: mutt-1.9.4-lynx_no_backscapes.patch
 Patch12: mutt-1.9.5-nodotlock.patch
 Patch13: mutt-1.12.1-optusegpgagent.patch
+Patch0014: 0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch
+Patch0015: 0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch
+Patch0016: 0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch
 
 Url: http://www.mutt.org
 Requires: mailcap, urlview
@@ -94,6 +97,9 @@ autoreconf --install
 %patch8 -p1 -b .system_certs
 %patch9 -p1 -b .ssl_ciphers
 %patch13 -p1 -b .optusegpgagent
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 sed -i -r 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
 
@@ -212,6 +218,10 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
 
 
 %changelog
+* Wed Oct 11 2023 Matej Mužila <mmuzila@redhat.com> - 5:2.2.6-2
+- Fix for: CVE-2023-4874 CVE-2023-4875
+- Resolves: RHEL-2812
+
 * Mon Jul 25 2022 Matej Mužila <mmuzila@redhat.com> - 5:2.2.6-1
 - Rebase to upstream version 2.2.6
   Resolves: CVE-2022-1328