diff --git a/SOURCES/mutt-2.0.7-cve-2022-1328.patch b/SOURCES/mutt-2.0.7-cve-2022-1328.patch new file mode 100644 index 0000000..71d9818 --- /dev/null +++ b/SOURCES/mutt-2.0.7-cve-2022-1328.patch @@ -0,0 +1,40 @@ +From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Tue, 5 Apr 2022 11:05:52 -0700 +Subject: [PATCH] Fix uudecode buffer overflow. + +mutt_decode_uuencoded() used each line's initial "length character" +without any validation. It would happily read past the end of the +input line, and with a suitable value even past the length of the +input buffer. + +As I noted in ticket 404, there are several other changes that could +be added to make the parser more robust. However, to avoid +accidentally introducing another bug or regression, I'm restricting +this patch to simply addressing the overflow. + +Thanks to Tavis Ormandy for reporting the issue, along with a sample +message demonstrating the problem. +--- + handler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/handler.c b/handler.c +index d1b4bc73..c97cf0cb 100644 +--- a/handler.c ++++ b/handler.c +@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd) + pt = tmps; + linelen = decode_byte (*pt); + pt++; +- for (c = 0; c < linelen;) ++ for (c = 0; c < linelen && *pt;) + { +- for (l = 2; l <= 6; l += 2) ++ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2) + { + out = decode_byte (*pt) << l; + pt++; +-- +2.34.1 + diff --git a/SPECS/mutt.spec b/SPECS/mutt.spec index b555ac2..ea7e404 100644 --- a/SPECS/mutt.spec +++ b/SPECS/mutt.spec @@ -20,7 +20,7 @@ Summary: A text mode mail user agent Name: mutt Version: 2.0.7 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 5 # The entire source code is GPLv2+ except # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain @@ -40,6 +40,8 @@ Patch10: mutt-1.9.4-lynx_no_backscapes.patch Patch12: mutt-1.9.5-nodotlock.patch # Fixs compatibility with previous versions Patch13: mutt_disable_ssl_enforce.patch +Patch14: mutt-2.0.7-cve-2022-1328.patch + # Coverity patches # https://cov01.lab.eng.brq.redhat.com/el8-results/el8/mutt-1.9.3-1.el8+7/scan-results-imp.html Patch111: mutt-1.10.1-mutt-1.9.3-1_coverity_166.patch @@ -100,6 +102,7 @@ autoreconf --install %patch8 -p1 -b .system_certs %patch9 -p1 -b .ssl_ciphers %patch13 -p1 +%patch14 -p1 -b .cve-2022-1328 %patch111 -p1 -b .mutt-1.9.3-1_coverity_166 %patch112 -p1 -b .mutt-1.9.3-1_coverity_181 @@ -224,6 +227,9 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5 %changelog +* Thu Jul 21 2022 Matej Mužila - 5:2.0.7-2 +- Fix CVE-2022-1328 (#2109247) + * Wed May 5 2021 Filip Januš - 5:2.0.7-1 - Upgrade to v2.0.7 - New bug fix release