!44 Fix CVE-2022-1328

From: @starlet-dx Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-04-24 07:43:19 +00:00 · 2022-04-24 07:43:19 +00:00 · 152aca22e6
commit 152aca22e6
parent 303cd9d1ad 7b4a548f7c
2 changed files with 48 additions and 3 deletions
--- a/CVE-2022-1328.patch
+++ b/CVE-2022-1328.patch
@ -0,0 +1,40 @@
+From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Tue, 5 Apr 2022 11:05:52 -0700
+Subject: [PATCH] Fix uudecode buffer overflow.
+
+mutt_decode_uuencoded() used each line's initial "length character"
+without any validation.  It would happily read past the end of the
+input line, and with a suitable value even past the length of the
+input buffer.
+
+As I noted in ticket 404, there are several other changes that could
+be added to make the parser more robust.  However, to avoid
+accidentally introducing another bug or regression, I'm restricting
+this patch to simply addressing the overflow.
+
+Thanks to Tavis Ormandy for reporting the issue, along with a sample
+message demonstrating the problem.
+---
+ handler.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/handler.c b/handler.c
+index d1b4bc73..c97cf0cb 100644
+--- a/handler.c
+++ b/handler.c
+@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
+     pt = tmps;
+     linelen = decode_byte (*pt);
+     pt++;
+-    for (c = 0; c < linelen;)
+    for (c = 0; c < linelen && *pt;)
+     {
+-      for (l = 2; l <= 6; l += 2)
+      for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
+       {
+ 	out = decode_byte (*pt) << l;
+ 	pt++;
+-- 
+GitLab
+
--- a/mutt.spec
+++ b/mutt.spec
@ -1,6 +1,6 @@
 Name:           mutt
 Version:        2.1.3
-Release:        1
+Release:        2
 Epoch:          5
 Summary:        Text-based mail client
 License:        GPLv2+ and Public Domain
@ -16,6 +16,8 @@ Patch5:         mutt-1.9.4-lynx_no_backscapes.patch
 Patch6:         mutt-1.9.5-nodotlock.patch
 Patch7:         mutt-1.10.0-muttrc.patch
 Patch8:         mutt-1.12.1-optusegpgagent.patch
+#https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5.patch
+Patch9:         CVE-2022-1328.patch

 BuildRequires:  gcc ncurses-devel gettext automake /usr/bin/xsltproc
 BuildRequires:  lynx docbook-style-xsl perl-interpreter perl-generators
@ -123,16 +125,19 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
 %{_infodir}/mutt.info.*

 %changelog
+* Sun Apr 24 2022 yaoxin <yaoxin30@h-partners.com> - 2.1.3-2
+- Fix CVE-2022-1328
+
 * Tue Dec 28 2021 gaihuiying1<gaihuiying@huawei.com> - 2.1.3-1
 - Type:requirement
 - Id:NA
 - SUG:NA
 - DESC:update mutt to 2.1.3

- Fri Oct 15 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-7
+* Fri Oct 15 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-7
 - fix CVE-2020-14154

- Tue Jul 27 2021 wangyue<wangyue92@huawei.com> - 1.10.1-6
+* Tue Jul 27 2021 wangyue<wangyue92@huawei.com> - 1.10.1-6
 - fix CVE-2020-14093

 * Fri Jul 23 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-5