Compare commits

..

No commits in common. "c8s" and "c8" have entirely different histories.
c8s ... c8

21 changed files with 31 additions and 336 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/mutt-2.0.7.tar.gz
/mutt-2.0.7.tar.gz
SOURCES/mutt-1.10.1.tar.gz

1
.mutt.metadata Normal file
View File

@ -0,0 +1 @@
584c3a5cd604813749da4d90c8c457a143ccd746 SOURCES/mutt-1.10.1.tar.gz

View File

@ -1,41 +0,0 @@
From 29754579de3a4e720ea0b30bc3e4c03dd905fd66 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 3 Sep 2023 12:22:01 +0800
Subject: [PATCH] Fix rfc2047 base64 decoding to abort on illegal characters.
For some reason, the rfc2047 base64 decoder ignored illegal
characters, instead of aborting. This seems innocuous, but in fact
leads to at least three crash-bugs elsewhere in Mutt.
These stem from Mutt, in some cases, passing an entire header
field (name, colon, and body) to the rfc2047 decoder. (It is
technically incorrect to do so, by the way, but is beyond scope for
these fixes in stable). Mutt then assumes the result can't be empty
because of a previous check that the header contains at least a colon.
This commit takes care of the source of the crashes, by aborting the
rfc2047 decode. The following two commits add protective fixes to the
specific crash points.
Thanks to Chenyuan Mi (@morningbread) for discovering the strchr
crashes, giving a working example draft message, and providing the
stack traces for the two NULL derefences.
(cherry picked from commit 452ee330e094bfc7c9a68555e5152b1826534555)
---
rfc2047.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rfc2047.c b/rfc2047.c
index 488771bd..1a765b87 100644
--- a/rfc2047.c
+++ b/rfc2047.c
@@ -716,7 +716,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset)
if (*pp == '=')
break;
if ((*pp & ~127) || (c = base64val(*pp)) == -1)
- continue;
+ goto error_out_0;
if (k + 6 >= 8)
{
k -= 2;

View File

@ -1,37 +0,0 @@
From 427e205f3f5759c153a1d424ac6f6a82ac16a352 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 3 Sep 2023 14:11:48 +0800
Subject: [PATCH] (CVE-2023-4874) Fix write_one_header() illegal header check.
This is another crash caused by the rfc2047 decoding bug fixed in the
second prior commit.
In this case, an empty header line followed by a header line starting
with ":", would result in t==end.
The mutt_substrdup() further below would go very badly at that point,
with t >= end+1. This could result in either a memcpy onto NULL or a
huge malloc call.
Thanks to Chenyuan Mi (@morningbread) for giving a working example
draft message of the rfc2047 decoding flaw. This allowed me, with
further testing, to discover this additional crash bug.
(cherry picked from commit a4752eb0ae0a521eec02e59e51ae5daedf74fda0)
---
sendlib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sendlib.c b/sendlib.c
index 8fd5e6cb..8569e5cf 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -2038,7 +2038,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
else
{
t = strchr (start, ':');
- if (!t || t > end)
+ if (!t || t >= end)
{
dprint (1, (debugfile, "mwoh: warning: header not in "
"'key: value' format!\n"));

View File

@ -1,47 +0,0 @@
From 74b4833b56212dbbac6f6353f6989f91176671a2 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Mon, 4 Sep 2023 12:50:07 +0800
Subject: [PATCH] (CVE-2023-4875) Check for NULL userhdrs.
When composing an email, miscellaneous extra headers are stored in a
userhdrs list. Mutt first checks to ensure each header contains at
least a colon character, passes the entire userhdr field (name, colon,
and body) to the rfc2047 decoder, and safe_strdup()'s the result on
the userhdrs list. An empty result would from the decode would result
in a NULL headers being added to list.
The previous commit removed the possibility of the decoded header
field being empty, but it's prudent to add a check to the strchr
calls, in case there is another unexpected bug resulting in one.
Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
crashes, giving a working example draft message, and providing the
stack traces for the two NULL derefences.
(cherry picked from commit 4cc3128abdf52c615911589394a03271fddeefc6)
---
sendlib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sendlib.c b/sendlib.c
index 8569e5cf..007baac1 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -2318,7 +2318,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date,
/* Add any user defined headers */
for (; tmp; tmp = tmp->next)
{
- if ((p = strchr (tmp->data, ':')))
+ if ((p = strchr (NONULL (tmp->data), ':')))
{
q = p;
@@ -2366,7 +2366,7 @@ static void encode_headers (LIST *h)
for (; h; h = h->next)
{
- if (!(p = strchr (h->data, ':')))
+ if (!(p = strchr (NONULL (h->data), ':')))
continue;
i = p - h->data;

View File

@ -1,7 +1,7 @@
diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head
--- mutt-1.8.0.orig/doc/Muttrc.head 2017-02-25 15:28:22.120997474 +0000
+++ mutt-1.8.0/doc/Muttrc.head 2017-02-25 15:30:10.643079681 +0000
@@ -24,13 +24,17 @@
@@ -24,12 +24,16 @@
# Show documentation when pressing F1
macro generic,pager <F1> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation"
@ -9,9 +9,8 @@ diff -ur mutt-1.8.0.orig/doc/Muttrc.head mutt-1.8.0/doc/Muttrc.head
+macro generic,pager <F2> "<shell-escape> less @docdir@/manual.txt<Enter>" "show Mutt documentation"
# show the incoming mailboxes list (just like "mutt -y") and back when pressing "y"
# note: these macros have been subsumed by the <browse-mailboxes> function.
# macro index y "<change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
# macro pager y "<exit><change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
macro index y "<change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
macro pager y "<exit><change-folder>?<toggle-mailboxes>" "show incoming mailboxes list"
bind browser y exit
+bind editor <delete> delete-char

View File

@ -5,8 +5,8 @@ diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95-new/init.h
*/
#if defined(USE_SSL)
#ifdef USE_SSL_GNUTLS
- { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p=0} },
+ { "ssl_ca_certificates_file", DT_PATH, R_NONE, {.p=&SslCACertFile}, {.p="/etc/ssl/certs/ca-bundle.crt"} },
- { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, 0 },
+ { "ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, "/etc/ssl/certs/ca-bundle.crt" },
/*
** .pp
** This variable specifies a file containing trusted CA certificates.

View File

@ -1,15 +1,15 @@
diff -ur mutt-1.8.0.orig/contrib/Makefile.am mutt-1.8.0/contrib/Makefile.am
--- mutt-1.8.0.orig/contrib/Makefile.am 2017-02-25 15:28:22.124997366 +0000
+++ mutt-1.8.0/contrib/Makefile.am 2017-02-25 15:48:10.834036861 +0000
@@ -6,7 +6,7 @@
@@ -5,7 +5,7 @@
SAMPLES = Mush.rc Pine.rc gpg.rc pgp2.rc pgp5.rc pgp6.rc Tin.rc \
sample.mailcap sample.muttrc sample.muttrc-sidebar sample.muttrc-tlr \
sample.muttrc-compress sample.muttrc-starter \
sample.vimrc-sidebar colors.default colors.linux smime.rc \
- ca-bundle.crt smime_keys_test.pl mutt_xtitle markdown2html \
+ smime_keys_test.pl mutt_xtitle markdown2html \
bgedit-detectgui.sh bgedit-screen-tmux.sh \
mutt_oauth2.py mutt_oauth2.py.README
sample.muttrc-compress sample.vimrc-sidebar colors.default colors.linux smime.rc \
- ca-bundle.crt smime_keys_test.pl mutt_xtitle
+ smime_keys_test.pl mutt_xtitle
EXTRA_DIST = language.txt language50.txt \
patch.slang-1.2.2.keypad.1 \
diff -ur mutt-1.8.0.orig/doc/smime-notes.txt mutt-1.8.0/doc/smime-notes.txt
--- mutt-1.8.0.orig/doc/smime-notes.txt 2017-02-25 15:28:22.119997501 +0000
+++ mutt-1.8.0/doc/smime-notes.txt 2017-02-25 16:06:38.986242390 +0000

View File

@ -5,28 +5,28 @@ diff -ur mutt-1.9.0.orig/init.h mutt-1.9.0/init.h
*/
# endif /* defined HAVE_SSL_PARTIAL_CHAIN */
# endif /* defined USE_SSL_OPENSSL */
- { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p=0} },
+ { "ssl_ciphers", DT_STR, R_NONE, {.p=&SslCiphers}, {.p="@SYSTEM"} },
- { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 },
+ { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL "@SYSTEM" },
/*
** .pp
** Contains a colon-separated list of ciphers to use when using SSL.
** Contains a colon-seperated list of ciphers to use when using SSL.
diff -ur mutt-1.9.0.orig/mutt_ssl_gnutls.c mutt-1.9.0/mutt_ssl_gnutls.c
--- mutt-1.9.0.orig/mutt_ssl_gnutls.c 2017-09-04 16:48:21.403528134 +0200
+++ mutt-1.9.0/mutt_ssl_gnutls.c 2017-09-04 16:51:16.081679141 +0200
@@ -286,6 +286,8 @@
else
mutt_buffer_strcpy (priority, "NORMAL");
safe_strcat (priority, priority_size, "NORMAL");
+if (SslCiphers && strcmp(SslCiphers, "@SYSTEM"))
+{
if (!option (OPTTLSV1_3))
if (! option(OPTTLSV1_2))
{
nproto--;
@@ -313,6 +315,7 @@
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
goto cleanup;
FREE (&priority);
return -1;
}
+}
if ((err = gnutls_priority_set_direct (data->state, mutt_b2s (priority), NULL)) < 0)
if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0)
{

View File

@ -5,8 +5,8 @@ diff -up mutt-1.9.1/doc/Makefile.am.lynx_no_backscapes mutt-1.9.1/doc/Makefile.a
check:
manual.txt: manual.html
- -LC_ALL=C lynx -localhost -dump -nolist -with_backspaces -display_charset=us-ascii manual.html > $@ || \
+ -LC_ALL=C lynx -localhost -dump -nolist -display_charset=us-ascii manual.html > $@ || \
LC_ALL=C w3m -T text/html -I utf-8 -O utf-8 -dump < manual.html > $@ || \
- -LC_ALL=C lynx -dump -nolist -with_backspaces -display_charset=us-ascii manual.html > $@ || \
+ -LC_ALL=C lynx -dump -nolist -display_charset=us-ascii manual.html > $@ || \
LC_ALL=C w3m -dump manual.html > $@ || \
LC_ALL=C elinks -dump -no-numbering -no-references manual.html | sed -e 's,\\001, ,g' > $@

View File

@ -19,8 +19,8 @@
Summary: A text mode mail user agent
Name: mutt
Version: 2.0.7
Release: 3%{?dist}
Version: 1.10.1
Release: 1%{?dist}
Epoch: 5
# The entire source code is GPLv2+ except
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@ -38,30 +38,14 @@ Patch8: mutt-1.5.23-system_certs.patch
Patch9: mutt-1.9.0-ssl_ciphers.patch
Patch10: mutt-1.9.4-lynx_no_backscapes.patch
Patch12: mutt-1.9.5-nodotlock.patch
# Fixs compatibility with previous versions
Patch13: mutt_disable_ssl_enforce.patch
Patch14: mutt-2.0.7-cve-2022-1328.patch
# CVE-2023-4874 CVE-2023-4875
Patch0015: 0015-Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch
Patch0016: 0016-CVE-2023-4874-Fix-write_one_header-illegal-header-ch.patch
Patch0017: 0017-CVE-2023-4875-Check-for-NULL-userhdrs.patch
# Coverity patches
# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/mutt-1.9.3-1.el8+7/scan-results-imp.html
Patch111: mutt-1.10.1-mutt-1.9.3-1_coverity_166.patch
Patch112: mutt-1.10.1-mutt-1.9.3-1_coverity_181.patch
Patch113: mutt-1.10.1-mutt-1.9.3-1_coverity_187_188_189_190.patch
Url: http://www.mutt.org
Requires: mailcap, urlview
BuildRequires: gcc, make
BuildRequires: gcc
BuildRequires: ncurses-devel, gettext, automake
# manual generation
BuildRequires: /usr/bin/xsltproc, docbook-style-xsl, perl-interpreter
BuildRequires: perl-generators
BuildRequires: lynx
BuildRequires: docbook2X
%if %{with hcache}
%{?with_tokyocabinet:BuildRequires: tokyocabinet-devel}
@ -106,16 +90,6 @@ autoreconf --install
%patch3 -p1 -b .syncdebug
%patch8 -p1 -b .system_certs
%patch9 -p1 -b .ssl_ciphers
%patch13 -p1
%patch14 -p1 -b .cve-2022-1328
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch111 -p1 -b .mutt-1.9.3-1_coverity_166
%patch112 -p1 -b .mutt-1.9.3-1_coverity_181
%patch113 -p1 -b .mutt-1.9.3-1_coverity_187_188_189_190.patch
sed -i -r 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
@ -167,8 +141,7 @@ rm -f mutt_ssl.c
%{?with_sidebar: --enable-sidebar} \
--with-docdir=%{_pkgdocdir}
#make %{?_smp_mflags}
%make_build
make %{?_smp_mflags}
# remove unique id in manual.html because multilib conflicts
sed -i -r 's/<a id="id[a-z0-9]\+">/<a id="id">/g' doc/manual.html
@ -205,10 +178,6 @@ rm -f %{buildroot}%{_mandir}/man5/mbox.5*
rm -f %{buildroot}%{_mandir}/man5/mmdf.5*
rm -rf %{buildroot}%{_pkgdocdir}
# remove /usr/share/info/dir
# prevents adding dir file without installed info utility
rm %{buildroot}%{_infodir}/dir
# provide muttrc.local(5): the same as muttrc(5)
ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
@ -224,38 +193,17 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
%config(noreplace) %{_sysconfdir}/Muttrc
%config(noreplace) %{_sysconfdir}/Muttrc.local
%{_bindir}/mutt
%{_bindir}/mutt_pgpring
%{_bindir}/pgpring
%{_bindir}/pgpewrap
%{_bindir}/smime_keys
%{_mandir}/man1/mutt.*
%{_mandir}/man1/smime_keys.*
%{_mandir}/man1/mutt_pgpring.*
%{_mandir}/man1/pgpring.*
%{_mandir}/man1/pgpewrap.*
%{_mandir}/man5/muttrc.*
%{_infodir}/mutt.info.*
%changelog
* Wed Oct 11 2023 Matej Mužila <mmuzila@redhat.com> - 5:2.0.7-3
- Fix for: CVE-2023-4874 CVE-2023-4875
- Resolves: RHEL-2811
* Thu Jul 21 2022 Matej Mužila <mmuzila@redhat.com> - 5:2.0.7-2
- Fix CVE-2022-1328 (#2109247)
* Wed May 5 2021 Filip Januš <fjanus@redhat.com> - 5:2.0.7-1
- Upgrade to v2.0.7
- New bug fix release
- Resolves: #1912614
* Thu Apr 8 2021 Filip Januš <fjanus@redhat.com> - 5:2.0.6-1
- Upgrade to v2.0.6
- Resolves: #1912614
* Thu Jun 13 2019 Matej Mužila <mmuzila@redhat.com> - 5:1.10.1-2
- Fix Coverity issues
- Resolves: #1602622
* Tue Jul 17 2018 Matej Mužila <mmuzila@redhat.com> - 5:1.10.1-1
- Upgrade to 1.10.1

View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -1,11 +0,0 @@
diff -up mutt-1.10.1/query.c.mutt-1.9.3-1_coverity_166 mutt-1.10.1/query.c
--- mutt-1.10.1/query.c.mutt-1.9.3-1_coverity_166 2018-11-26 11:54:55.078468192 +0100
+++ mutt-1.10.1/query.c 2018-11-26 11:55:12.035710707 +0100
@@ -443,6 +443,7 @@ static void query_menu (char *buf, size_
}
mutt_create_alias (NULL, naddr);
+ rfc822_free_address (&naddr);
}
else
{

View File

@ -1,12 +0,0 @@
diff -up mutt-1.10.1/send.c.mutt-1.9.3-1_coverity_181 mutt-1.10.1/send.c
--- mutt-1.10.1/send.c.mutt-1.9.3-1_coverity_181 2018-11-26 12:08:42.615216677 +0100
+++ mutt-1.10.1/send.c 2018-11-26 12:08:52.007351542 +0100
@@ -243,7 +243,7 @@ static int edit_envelope (ENVELOPE *en)
if (ascii_strncasecmp ("subject:", uh->data, 8) == 0)
{
p = skip_email_wsp(uh->data + 8);
- strncpy (buf, p, sizeof (buf));
+ strfcpy (buf, p, sizeof (buf));
}
}
}

View File

@ -1,31 +0,0 @@
diff -up mutt-1.10.1/sendlib.c.mutt-1.9.3-1_coverity_187_188_189_190 mutt-1.10.1/sendlib.c
--- mutt-1.10.1/sendlib.c.mutt-1.9.3-1_coverity_187_188_189_190 2018-11-26 12:34:51.007894823 +0100
+++ mutt-1.10.1/sendlib.c 2018-11-26 12:35:08.374143006 +0100
@@ -1815,11 +1815,15 @@ static int write_one_header (FILE *fp, i
NONULL(pfx), valbuf, max, wraplen));
if (pfx && *pfx)
if (fputs (pfx, fp) == EOF)
+ {
+ FREE(&valbuf);
return -1;
+ }
if (!(t = strchr (valbuf, ':')))
{
dprint (1, (debugfile, "mwoh: warning: header not in "
"'key: value' format!\n"));
+ FREE(&valbuf);
return 0;
}
if (print_val (fp, pfx, valbuf, flags, mutt_strlen (pfx)) < 0)
@@ -1861,7 +1865,11 @@ static int write_one_header (FILE *fp, i
"max width = %d > %d\n",
NONULL(pfx), valbuf, max, wraplen));
if (fold_one_header (fp, tagbuf, valbuf, pfx, wraplen, flags) < 0)
+ {
+ FREE (&tagbuf);
+ FREE (&valbuf);
return -1;
+ }
FREE (&tagbuf);
FREE (&valbuf);
}

View File

@ -1,40 +0,0 @@
From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Tue, 5 Apr 2022 11:05:52 -0700
Subject: [PATCH] Fix uudecode buffer overflow.
mutt_decode_uuencoded() used each line's initial "length character"
without any validation. It would happily read past the end of the
input line, and with a suitable value even past the length of the
input buffer.
As I noted in ticket 404, there are several other changes that could
be added to make the parser more robust. However, to avoid
accidentally introducing another bug or regression, I'm restricting
this patch to simply addressing the overflow.
Thanks to Tavis Ormandy for reporting the issue, along with a sample
message demonstrating the problem.
---
handler.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/handler.c b/handler.c
index d1b4bc73..c97cf0cb 100644
--- a/handler.c
+++ b/handler.c
@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
pt = tmps;
linelen = decode_byte (*pt);
pt++;
- for (c = 0; c < linelen;)
+ for (c = 0; c < linelen && *pt;)
{
- for (l = 2; l <= 6; l += 2)
+ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
{
out = decode_byte (*pt) << l;
pt++;
--
2.34.1

View File

@ -1,26 +0,0 @@
Based on https://gitlab.com/muttmua/mutt/-/commit/9204b24e99767ae06b5df25eca55c028d702528b
This patch disable enforcing of ssl
diff -ur mutt-2.0.2/doc/manual.xml.head mutt_patch/doc/manual.xml.head
--- mutt-2.0.2/doc/manual.xml.head 2020-11-07 21:30:03.000000000 +0100
+++ mutt_patch/doc/manual.xml.head 2021-01-27 20:21:05.964647359 +0100
@@ -9104,7 +9104,7 @@
<para>
When connecting through a <link linkend="tunnel">$tunnel</link>
and <link linkend="tunnel-is-secure">$tunnel_is_secure</link> is
- set (the default), Mutt will assume the connection to the server
+ set (Not the default!), Mutt will assume the connection to the server
through the pipe is already secured. Mutt will ignore <link
linkend="ssl-starttls">$ssl_starttls</link> and <link
linkend="ssl-force-tls">$ssl_force_tls</link>, behaving as if TLS
diff -ur mutt-2.0.2/init.h mutt_patch/init.h
--- mutt-2.0.2/init.h 2020-11-20 02:28:59.000000000 +0100
+++ mutt_patch/init.h 2021-01-27 20:20:09.696052996 +0100
@@ -4021,7 +4021,7 @@
** The file containing a client certificate and its associated private
** key.
*/
- { "ssl_force_tls", DT_BOOL, R_NONE, {.l=OPTSSLFORCETLS}, {.l=1} },
+ { "ssl_force_tls", DT_BOOL, R_NONE, {.l=OPTSSLFORCETLS}, {.l=0} },
/*
** .pp
** If this variable is \fIset\fP, Mutt will require that all connections

View File

@ -1 +0,0 @@
SHA512 (mutt-2.0.7.tar.gz) = 1eb689fb9e6aa3cf0bcd0b696c25477cd04b74d8ec93404df071de6dc051e46bbad88131cdf610eb01df4789984707f3791366ae2fda28de2d2739aeb9d34e30