From 7cab1ae097f9f74fa209b20b343bf51c14cee26d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 28 May 2007 14:48:11 +0000 Subject: [PATCH] - validate msgid in APOP authentication (CVE-2007-1558) - fix overflow in gecos field handling (CVE-2007-2683) --- mutt-apopmsgid.patch | 91 ++++++++++++++++++++++++++++++++++++++++++++ mutt-gecos.patch | 20 ++++++++++ mutt.spec | 10 ++++- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 mutt-apopmsgid.patch create mode 100644 mutt-gecos.patch diff --git a/mutt-apopmsgid.patch b/mutt-apopmsgid.patch new file mode 100644 index 0000000..5d86645 --- /dev/null +++ b/mutt-apopmsgid.patch @@ -0,0 +1,91 @@ +# HG changeset patch +# User Brendan Cully +# Date 1175552458 25200 +# Node ID 4adb236ca78d25cd6eb4805da033a0951b62b0dd +# Parent e363d7a6904653f2b5acc17f6ea0da526bb63711 +Validate msgid in APOP authentication. Closes #2846 + +diff -r e363d7a69046 -r 4adb236ca78d pop_auth.c +--- a/pop_auth.c Tue Apr 03 08:59:11 2007 -0700 ++++ b/pop_auth.c Mon Apr 02 15:20:58 2007 -0700 +@@ -183,6 +183,13 @@ static pop_auth_res_t pop_auth_apop (POP + if (!pop_data->timestamp) + return POP_A_UNAVAIL; + ++ if (rfc822_valid_msgid (pop_data->timestamp) < 0) ++ { ++ mutt_error _("POP timestamp is invalid!"); ++ mutt_sleep (2); ++ return POP_A_UNAVAIL; ++ } ++ + mutt_message _("Authenticating (APOP)..."); + + /* Compute the authentication hash to send to the server */ +diff -r e363d7a69046 -r 4adb236ca78d rfc822.c +--- a/rfc822.c Tue Apr 03 08:59:11 2007 -0700 ++++ b/rfc822.c Mon Apr 02 15:20:58 2007 -0700 +@@ -792,6 +792,52 @@ ADDRESS *rfc822_append (ADDRESS **a, ADD + return tmp; + } + ++/* incomplete. Only used to thwart the APOP MD5 attack (#2846). */ ++int rfc822_valid_msgid (const char *msgid) ++{ ++ /* msg-id = "<" addr-spec ">" ++ * addr-spec = local-part "@" domain ++ * local-part = word *("." word) ++ * word = atom / quoted-string ++ * atom = 1* ++ * CHAR = ( 0.-127. ) ++ * specials = "(" / ")" / "<" / ">" / "@" ++ / "," / ";" / ":" / "\" / <"> ++ / "." / "[" / "]" ++ * SPACE = ( 32. ) ++ * CTLS = ( 0.-31., 127.) ++ * quoted-string = <"> *(qtext/quoted-pair) <"> ++ * qtext = , "\" and CR> ++ * CR = ( 13. ) ++ * quoted-pair = "\" CHAR ++ * domain = sub-domain *("." sub-domain) ++ * sub-domain = domain-ref / domain-literal ++ * domain-ref = atom ++ * domain-literal = "[" *(dtext / quoted-pair) "]" ++ */ ++ ++ char* dom; ++ unsigned int l, i; ++ ++ if (!msgid || !*msgid) ++ return -1; ++ ++ l = mutt_strlen (msgid); ++ if (l < 5) /* */ ++ return -1; ++ if (msgid[0] != '<' || msgid[l-1] != '>') ++ return -1; ++ if (!(dom = strrchr (msgid, '@'))) ++ return -1; ++ ++ /* TODO: complete parser */ ++ for (i = 0; i < l; i++) ++ if ((unsigned char)msgid[i] > 127) ++ return -1; ++ ++ return 0; ++} ++ + #ifdef TESTING + int safe_free (void **p) /* __SAFE_FREE_CHECKED__ */ + { +diff -r e363d7a69046 -r 4adb236ca78d rfc822.h +--- a/rfc822.h Tue Apr 03 08:59:11 2007 -0700 ++++ b/rfc822.h Mon Apr 02 15:20:58 2007 -0700 +@@ -52,6 +52,7 @@ void rfc822_write_address_single (char * + void rfc822_write_address_single (char *, size_t, ADDRESS *, int); + void rfc822_free_address (ADDRESS **addr); + void rfc822_cat (char *, size_t, const char *, const char *); ++int rfc822_valid_msgid (const char *msgid); + + extern int RFC822Error; + extern const char *RFC822Errors[]; diff --git a/mutt-gecos.patch b/mutt-gecos.patch new file mode 100644 index 0000000..0b10087 --- /dev/null +++ b/mutt-gecos.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Brendan Cully +# Date 1178561955 25200 +# Node ID 47d08903b79b78ce26516de97682b244d3573c47 +# Parent f6861b85f22b1656a870aeabad83a1bbd9794af9 +Use signed arithmetic in mutt_gecos_name to avoid an overflow. +Closes #2885. + +diff -r f6861b85f22b -r 47d08903b79b muttlib.c +--- a/muttlib.c Wed May 02 10:50:07 2007 -0700 ++++ b/muttlib.c Mon May 07 11:19:15 2007 -0700 +@@ -540,7 +540,7 @@ char *mutt_gecos_name (char *dest, size_ + if (dest[idx] == '&') + { + memmove (&dest[idx + pwnl], &dest[idx + 1], +- MAX(destlen - idx - pwnl - 1, 0)); ++ MAX((ssize_t)(destlen - idx - pwnl - 1), 0)); + memcpy (&dest[idx], pw->pw_name, MIN(destlen - idx - 1, pwnl)); + dest[idx] = toupper ((unsigned char) dest[idx]); + } diff --git a/mutt.spec b/mutt.spec index 3cd3a6a..c6ebcfb 100644 --- a/mutt.spec +++ b/mutt.spec @@ -1,7 +1,7 @@ Summary: A text mode mail user agent Name: mutt Version: 1.5.14 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 5 License: GPL Group: Applications/Internet @@ -15,6 +15,8 @@ Patch4: mutt-1.5.13-manual.patch Patch5: urlview-0.9-default.patch Patch6: urlview.diff Patch7: mutt-1.5.14-checkmboxsize.patch +Patch8: mutt-apopmsgid.patch +Patch9: mutt-gecos.patch Url: http://www.mutt.org/ Requires: /usr/sbin/sendmail webclient mailcap BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -39,6 +41,8 @@ you are going to use. %patch5 -p0 -b .default %patch6 -p0 -b .build %patch7 -p1 -b .checkmboxsize +%patch8 -p1 -b .apopmsgid +%patch9 -p1 -b .gecos install -p -m644 %{SOURCE1} mutt_ldap_query @@ -117,6 +121,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/muttrc.* %changelog +* Mon May 28 2007 Miroslav Lichvar 5:1.5.14-4 +- validate msgid in APOP authentication (CVE-2007-1558) +- fix overflow in gecos field handling (CVE-2007-2683) + * Mon Mar 19 2007 Miroslav Lichvar 5:1.5.14-3 - fix building