From 64d391c76772911858c04cbe403096dbc9f3237a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Mu=C5=BEila?= Date: Wed, 11 Oct 2023 15:47:35 +0200 Subject: [PATCH] Fix for: CVE-2023-4874 CVE-2023-4875 --- .mutt.metadata | 1 + ...64-decoding-to-abort-on-illegal-char.patch | 41 ++++++++++++++++ ...x-write_one_header-illegal-header-ch.patch | 37 +++++++++++++++ ...VE-2023-4875-Check-for-NULL-userhdrs.patch | 47 +++++++++++++++++++ mutt.spec | 12 ++++- 5 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 .mutt.metadata create mode 100644 0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch create mode 100644 0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch create mode 100644 0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch diff --git a/.mutt.metadata b/.mutt.metadata new file mode 100644 index 0000000..eeb906d --- /dev/null +++ b/.mutt.metadata @@ -0,0 +1 @@ +3dabf53ea1a45e67fe77a5072bb4c104afb2ad1e mutt-2.2.6.tar.gz diff --git a/0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch b/0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch new file mode 100644 index 0000000..4a701fc --- /dev/null +++ b/0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch @@ -0,0 +1,41 @@ +From 96610c6cfa796dc15c5afcf0fd9f9b75869827fe Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Sun, 3 Sep 2023 12:22:01 +0800 +Subject: [PATCH] Fix rfc2047 base64 decoding to abort on illegal characters. + +For some reason, the rfc2047 base64 decoder ignored illegal +characters, instead of aborting. This seems innocuous, but in fact +leads to at least three crash-bugs elsewhere in Mutt. + +These stem from Mutt, in some cases, passing an entire header +field (name, colon, and body) to the rfc2047 decoder. (It is +technically incorrect to do so, by the way, but is beyond scope for +these fixes in stable). Mutt then assumes the result can't be empty +because of a previous check that the header contains at least a colon. + +This commit takes care of the source of the crashes, by aborting the +rfc2047 decode. The following two commits add protective fixes to the +specific crash points. + +Thanks to Chenyuan Mi (@morningbread) for discovering the strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. + +(cherry picked from commit 452ee330e094bfc7c9a68555e5152b1826534555) +--- + rfc2047.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rfc2047.c b/rfc2047.c +index 1ce82ebb..36cc76db 100644 +--- a/rfc2047.c ++++ b/rfc2047.c +@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset) + if (*pp == '=') + break; + if ((*pp & ~127) || (c = base64val(*pp)) == -1) +- continue; ++ goto error_out_0; + if (k + 6 >= 8) + { + k -= 2; diff --git a/0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch b/0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch new file mode 100644 index 0000000..6e4b873 --- /dev/null +++ b/0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch @@ -0,0 +1,37 @@ +From d75eaee07138aa661b5c8b49242d20ba95894efb Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Sun, 3 Sep 2023 14:11:48 +0800 +Subject: [PATCH] (CVE-2023-4874) Fix write_one_header() illegal header check. + +This is another crash caused by the rfc2047 decoding bug fixed in the +second prior commit. + +In this case, an empty header line followed by a header line starting +with ":", would result in t==end. + +The mutt_substrdup() further below would go very badly at that point, +with t >= end+1. This could result in either a memcpy onto NULL or a +huge malloc call. + +Thanks to Chenyuan Mi (@morningbread) for giving a working example +draft message of the rfc2047 decoding flaw. This allowed me, with +further testing, to discover this additional crash bug. + +(cherry picked from commit a4752eb0ae0a521eec02e59e51ae5daedf74fda0) +--- + sendlib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sendlib.c b/sendlib.c +index b0b94b4f..7d2feb62 100644 +--- a/sendlib.c ++++ b/sendlib.c +@@ -2121,7 +2121,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen, + else + { + t = strchr (start, ':'); +- if (!t || t > end) ++ if (!t || t >= end) + { + dprint (1, (debugfile, "mwoh: warning: header not in " + "'key: value' format!\n")); diff --git a/0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch b/0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch new file mode 100644 index 0000000..13a8a83 --- /dev/null +++ b/0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch @@ -0,0 +1,47 @@ +From d9e00fa1a7c0f30529d71d818a4e1518f1537053 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Mon, 4 Sep 2023 12:50:07 +0800 +Subject: [PATCH] (CVE-2023-4875) Check for NULL userhdrs. + +When composing an email, miscellaneous extra headers are stored in a +userhdrs list. Mutt first checks to ensure each header contains at +least a colon character, passes the entire userhdr field (name, colon, +and body) to the rfc2047 decoder, and safe_strdup()'s the result on +the userhdrs list. An empty result would from the decode would result +in a NULL headers being added to list. + +The previous commit removed the possibility of the decoded header +field being empty, but it's prudent to add a check to the strchr +calls, in case there is another unexpected bug resulting in one. + +Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. + +(cherry picked from commit 4cc3128abdf52c615911589394a03271fddeefc6) +--- + sendlib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sendlib.c b/sendlib.c +index 7d2feb62..ed4d7a25 100644 +--- a/sendlib.c ++++ b/sendlib.c +@@ -2409,7 +2409,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date, + /* Add any user defined headers */ + for (; tmp; tmp = tmp->next) + { +- if ((p = strchr (tmp->data, ':'))) ++ if ((p = strchr (NONULL (tmp->data), ':'))) + { + q = p; + +@@ -2457,7 +2457,7 @@ static void encode_headers (LIST *h) + + for (; h; h = h->next) + { +- if (!(p = strchr (h->data, ':'))) ++ if (!(p = strchr (NONULL (h->data), ':'))) + continue; + + i = p - h->data; diff --git a/mutt.spec b/mutt.spec index 90d3b77..69debf5 100644 --- a/mutt.spec +++ b/mutt.spec @@ -20,7 +20,7 @@ Summary: A text mode mail user agent Name: mutt Version: 2.2.6 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 5 # The entire source code is GPLv2+ except # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain @@ -38,6 +38,9 @@ Patch9: mutt-1.9.0-ssl_ciphers.patch Patch10: mutt-1.9.4-lynx_no_backscapes.patch Patch12: mutt-1.9.5-nodotlock.patch Patch13: mutt-1.12.1-optusegpgagent.patch +Patch0014: 0014-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch +Patch0015: 0015-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch +Patch0016: 0016-CVE-2023-4875-Check-for-NULL-userhdrs.patch Url: http://www.mutt.org Requires: mailcap, urlview @@ -94,6 +97,9 @@ autoreconf --install %patch8 -p1 -b .system_certs %patch9 -p1 -b .ssl_ciphers %patch13 -p1 -b .optusegpgagent +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 sed -i -r 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure @@ -212,6 +218,10 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5 %changelog +* Wed Oct 11 2023 Matej Mužila - 5:2.2.6-2 +- Fix for: CVE-2023-4874 CVE-2023-4875 +- Resolves: RHEL-2812 + * Mon Jul 25 2022 Matej Mužila - 5:2.2.6-1 - Rebase to upstream version 2.2.6 Resolves: CVE-2022-1328