48 lines
1.7 KiB
Diff
48 lines
1.7 KiB
Diff
From d9e00fa1a7c0f30529d71d818a4e1518f1537053 Mon Sep 17 00:00:00 2001
|
|
From: Kevin McCarthy <kevin@8t8.us>
|
|
Date: Mon, 4 Sep 2023 12:50:07 +0800
|
|
Subject: [PATCH] (CVE-2023-4875) Check for NULL userhdrs.
|
|
|
|
When composing an email, miscellaneous extra headers are stored in a
|
|
userhdrs list. Mutt first checks to ensure each header contains at
|
|
least a colon character, passes the entire userhdr field (name, colon,
|
|
and body) to the rfc2047 decoder, and safe_strdup()'s the result on
|
|
the userhdrs list. An empty result would from the decode would result
|
|
in a NULL headers being added to list.
|
|
|
|
The previous commit removed the possibility of the decoded header
|
|
field being empty, but it's prudent to add a check to the strchr
|
|
calls, in case there is another unexpected bug resulting in one.
|
|
|
|
Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
|
|
crashes, giving a working example draft message, and providing the
|
|
stack traces for the two NULL derefences.
|
|
|
|
(cherry picked from commit 4cc3128abdf52c615911589394a03271fddeefc6)
|
|
---
|
|
sendlib.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/sendlib.c b/sendlib.c
|
|
index 7d2feb62..ed4d7a25 100644
|
|
--- a/sendlib.c
|
|
+++ b/sendlib.c
|
|
@@ -2409,7 +2409,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date,
|
|
/* Add any user defined headers */
|
|
for (; tmp; tmp = tmp->next)
|
|
{
|
|
- if ((p = strchr (tmp->data, ':')))
|
|
+ if ((p = strchr (NONULL (tmp->data), ':')))
|
|
{
|
|
q = p;
|
|
|
|
@@ -2457,7 +2457,7 @@ static void encode_headers (LIST *h)
|
|
|
|
for (; h; h = h->next)
|
|
{
|
|
- if (!(p = strchr (h->data, ':')))
|
|
+ if (!(p = strchr (NONULL (h->data), ':')))
|
|
continue;
|
|
|
|
i = p - h->data;
|