Hi, On Sun, Sep 10, 2023 at 01:38:33PM +0200, Salvatore Bonaccorso wrote: > Hi Antonio, > > On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > > On Sat, Sep 09, 2023 at 10:23:32PM +0200, Salvatore Bonaccorso wrote: > > > Source: mutt > > > Version: 2.2.9-1 > > > Severity: grave > > > Tags: security upstream > > > Justification: user security hole > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > <t...@security.debian.org> > > > > > > Hi, > > > > > > The following vulnerabilities were published for mutt. > > > > > > CVE-2023-4874[0]: > > > | Null pointer dereference when viewing a specially crafted email in > > > | Mutt >1.5.2 <2.2.12 > > > > > > > > > CVE-2023-4875[1]: > > > | Null pointer dereference when composing from a specially crafted > > > | draft message in Mutt >1.5.2 <2.2.12 > > > > > > Make sure to include all three commits referenced from [2], the last > > > one is technically not part of the two CVEs, but another crash found > > > by upstream. > > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 > > > https://www.cve.org/CVERecord?id=CVE-2023-4874 > > > [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 > > > https://www.cve.org/CVERecord?id=CVE-2023-4875 > > > [2] > > > http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/000056.html > > > > > > Please adjust the affected versions in the BTS as needed. > > > > Thanks for raising this, I'm uploading the new packages with the fixes > > today. > > FWIW, I have done the bookworm-security upload already to > security-master, and still working on the bullseye-security one (with > plan to release the DSA tonight ideally).
Here are the debdiffs for those. Regards, Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog --- mutt-2.0.5/debian/changelog 2022-12-07 22:39:58.000000000 +0100 +++ mutt-2.0.5/debian/changelog 2023-09-10 13:53:23.000000000 +0200 @@ -1,3 +1,14 @@ +mutt (2.0.5-4.1+deb11u3) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix rfc2047 base64 decoding to abort on illegal characters. + (CVE-2023-4874, CVE-2023-4875) (Closes: #1051563) + * Check for NULL userhdrs. (CVE-2023-4875) (Closes: #1051563) + * Fix write_one_header() illegal header check. (CVE-2023-4874) + (Closes: #1051563) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 10 Sep 2023 13:53:23 +0200 + mutt (2.0.5-4.1+deb11u2) bullseye; urgency=medium * Non-maintainer upload. diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series --- mutt-2.0.5/debian/patches/series 2022-12-07 22:39:58.000000000 +0100 +++ mutt-2.0.5/debian/patches/series 2023-09-10 13:53:23.000000000 +0200 @@ -18,3 +18,6 @@ upstream/Fix-gpgme-crash-when-listing-keys-in-a-public-key-bl.patch upstream/Fix-public-key-block-listing-for-old-versions-of-gpg.patch upstream/Add-a-check-for-key-uids-in-create_recipient_set.patch +upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch +upstream/Check-for-NULL-userhdrs.patch +upstream/Fix-write_one_header-illegal-header-check.patch diff -Nru mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch --- mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.0.5/debian/patches/upstream/Check-for-NULL-userhdrs.patch 2023-09-10 13:53:23.000000000 +0200 @@ -0,0 +1,50 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Mon, 4 Sep 2023 12:50:07 +0800 +Subject: Check for NULL userhdrs. +Origin: https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4875 + +When composing an email, miscellaneous extra headers are stored in a +userhdrs list. Mutt first checks to ensure each header contains at +least a colon character, passes the entire userhdr field (name, colon, +and body) to the rfc2047 decoder, and safe_strdup()'s the result on +the userhdrs list. An empty result would from the decode would result +in a NULL headers being added to list. + +The previous commit removed the possibility of the decoded header +field being empty, but it's prudent to add a check to the strchr +calls, in case there is another unexpected bug resulting in one. + +Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. +--- + sendlib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sendlib.c b/sendlib.c +index c2283972f1d3..763bff4117f2 100644 +--- a/sendlib.c ++++ b/sendlib.c +@@ -2418,7 +2418,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date, + /* Add any user defined headers */ + for (; tmp; tmp = tmp->next) + { +- if ((p = strchr (tmp->data, ':'))) ++ if ((p = strchr (NONULL (tmp->data), ':'))) + { + q = p; + +@@ -2466,7 +2466,7 @@ static void encode_headers (LIST *h) + + for (; h; h = h->next) + { +- if (!(p = strchr (h->data, ':'))) ++ if (!(p = strchr (NONULL (h->data), ':'))) + continue; + + i = p - h->data; +-- +2.40.1 + diff -Nru mutt-2.0.5/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch mutt-2.0.5/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch --- mutt-2.0.5/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.0.5/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch 2023-09-10 13:53:23.000000000 +0200 @@ -0,0 +1,45 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Sun, 3 Sep 2023 12:22:01 +0800 +Subject: Fix rfc2047 base64 decoding to abort on illegal characters. +Origin: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4875 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4874 + +For some reason, the rfc2047 base64 decoder ignored illegal +characters, instead of aborting. This seems innocuous, but in fact +leads to at least three crash-bugs elsewhere in Mutt. + +These stem from Mutt, in some cases, passing an entire header +field (name, colon, and body) to the rfc2047 decoder. (It is +technically incorrect to do so, by the way, but is beyond scope for +these fixes in stable). Mutt then assumes the result can't be empty +because of a previous check that the header contains at least a colon. + +This commit takes care of the source of the crashes, by aborting the +rfc2047 decode. The following two commits add protective fixes to the +specific crash points. + +Thanks to Chenyuan Mi (@morningbread) for discovering the strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. +--- + rfc2047.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rfc2047.c b/rfc2047.c +index 1ce82ebbe49a..36cc76dbc402 100644 +--- a/rfc2047.c ++++ b/rfc2047.c +@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset) + if (*pp == '=') + break; + if ((*pp & ~127) || (c = base64val(*pp)) == -1) +- continue; ++ goto error_out_0; + if (k + 6 >= 8) + { + k -= 2; +-- +2.40.1 + diff -Nru mutt-2.0.5/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch mutt-2.0.5/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch --- mutt-2.0.5/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.0.5/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch 2023-09-10 13:53:23.000000000 +0200 @@ -0,0 +1,40 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Sun, 3 Sep 2023 14:11:48 +0800 +Subject: Fix write_one_header() illegal header check. +Origin: https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4874 + +This is another crash caused by the rfc2047 decoding bug fixed in the +second prior commit. + +In this case, an empty header line followed by a header line starting +with ":", would result in t==end. + +The mutt_substrdup() further below would go very badly at that point, +with t >= end+1. This could result in either a memcpy onto NULL or a +huge malloc call. + +Thanks to Chenyuan Mi (@morningbread) for giving a working example +draft message of the rfc2047 decoding flaw. This allowed me, with +further testing, to discover this additional crash bug. +--- + sendlib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sendlib.c b/sendlib.c +index 763bff4117f2..204b13085227 100644 +--- a/sendlib.c ++++ b/sendlib.c +@@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen, + else + { + t = strchr (start, ':'); +- if (!t || t > end) ++ if (!t || t >= end) + { + dprint (1, (debugfile, "mwoh: warning: header not in " + "'key: value' format!\n")); +-- +2.40.1 +
diff -Nru mutt-2.2.9/debian/changelog mutt-2.2.9/debian/changelog --- mutt-2.2.9/debian/changelog 2022-11-13 18:01:34.000000000 +0100 +++ mutt-2.2.9/debian/changelog 2023-09-10 12:57:40.000000000 +0200 @@ -1,3 +1,14 @@ +mutt (2.2.9-1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix rfc2047 base64 decoding to abort on illegal characters. + (CVE-2023-4874, CVE-2023-4875) (Closes: #1051563) + * Check for NULL userhdrs. (CVE-2023-4875) (Closes: #1051563) + * Fix write_one_header() illegal header check. (CVE-2023-4874) + (Closes: #1051563) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 10 Sep 2023 12:57:40 +0200 + mutt (2.2.9-1) unstable; urgency=medium * New upstream release diff -Nru mutt-2.2.9/debian/patches/series mutt-2.2.9/debian/patches/series --- mutt-2.2.9/debian/patches/series 2022-04-15 23:17:04.000000000 +0200 +++ mutt-2.2.9/debian/patches/series 2023-09-10 12:57:40.000000000 +0200 @@ -11,3 +11,6 @@ misc/gpg.rc-paths.patch misc/smime.rc.patch upstream/528233-readonly-open.patch +upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch +upstream/Check-for-NULL-userhdrs.patch +upstream/Fix-write_one_header-illegal-header-check.patch diff -Nru mutt-2.2.9/debian/patches/upstream/Check-for-NULL-userhdrs.patch mutt-2.2.9/debian/patches/upstream/Check-for-NULL-userhdrs.patch --- mutt-2.2.9/debian/patches/upstream/Check-for-NULL-userhdrs.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.2.9/debian/patches/upstream/Check-for-NULL-userhdrs.patch 2023-09-10 12:57:40.000000000 +0200 @@ -0,0 +1,50 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Mon, 4 Sep 2023 12:50:07 +0800 +Subject: Check for NULL userhdrs. +Origin: https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4875 + +When composing an email, miscellaneous extra headers are stored in a +userhdrs list. Mutt first checks to ensure each header contains at +least a colon character, passes the entire userhdr field (name, colon, +and body) to the rfc2047 decoder, and safe_strdup()'s the result on +the userhdrs list. An empty result would from the decode would result +in a NULL headers being added to list. + +The previous commit removed the possibility of the decoded header +field being empty, but it's prudent to add a check to the strchr +calls, in case there is another unexpected bug resulting in one. + +Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. +--- + sendlib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sendlib.c b/sendlib.c +index c2283972f1d3..763bff4117f2 100644 +--- a/sendlib.c ++++ b/sendlib.c +@@ -2418,7 +2418,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date, + /* Add any user defined headers */ + for (; tmp; tmp = tmp->next) + { +- if ((p = strchr (tmp->data, ':'))) ++ if ((p = strchr (NONULL (tmp->data), ':'))) + { + q = p; + +@@ -2466,7 +2466,7 @@ static void encode_headers (LIST *h) + + for (; h; h = h->next) + { +- if (!(p = strchr (h->data, ':'))) ++ if (!(p = strchr (NONULL (h->data), ':'))) + continue; + + i = p - h->data; +-- +2.40.1 + diff -Nru mutt-2.2.9/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch mutt-2.2.9/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch --- mutt-2.2.9/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.2.9/debian/patches/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch 2023-09-10 12:57:40.000000000 +0200 @@ -0,0 +1,45 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Sun, 3 Sep 2023 12:22:01 +0800 +Subject: Fix rfc2047 base64 decoding to abort on illegal characters. +Origin: https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4875 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4874 + +For some reason, the rfc2047 base64 decoder ignored illegal +characters, instead of aborting. This seems innocuous, but in fact +leads to at least three crash-bugs elsewhere in Mutt. + +These stem from Mutt, in some cases, passing an entire header +field (name, colon, and body) to the rfc2047 decoder. (It is +technically incorrect to do so, by the way, but is beyond scope for +these fixes in stable). Mutt then assumes the result can't be empty +because of a previous check that the header contains at least a colon. + +This commit takes care of the source of the crashes, by aborting the +rfc2047 decode. The following two commits add protective fixes to the +specific crash points. + +Thanks to Chenyuan Mi (@morningbread) for discovering the strchr +crashes, giving a working example draft message, and providing the +stack traces for the two NULL derefences. +--- + rfc2047.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rfc2047.c b/rfc2047.c +index 1ce82ebbe49a..36cc76dbc402 100644 +--- a/rfc2047.c ++++ b/rfc2047.c +@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset) + if (*pp == '=') + break; + if ((*pp & ~127) || (c = base64val(*pp)) == -1) +- continue; ++ goto error_out_0; + if (k + 6 >= 8) + { + k -= 2; +-- +2.40.1 + diff -Nru mutt-2.2.9/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch mutt-2.2.9/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch --- mutt-2.2.9/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.2.9/debian/patches/upstream/Fix-write_one_header-illegal-header-check.patch 2023-09-10 12:57:40.000000000 +0200 @@ -0,0 +1,40 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Sun, 3 Sep 2023 14:11:48 +0800 +Subject: Fix write_one_header() illegal header check. +Origin: https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0 +Bug-Debian: https://bugs.debian.org/1051563 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4874 + +This is another crash caused by the rfc2047 decoding bug fixed in the +second prior commit. + +In this case, an empty header line followed by a header line starting +with ":", would result in t==end. + +The mutt_substrdup() further below would go very badly at that point, +with t >= end+1. This could result in either a memcpy onto NULL or a +huge malloc call. + +Thanks to Chenyuan Mi (@morningbread) for giving a working example +draft message of the rfc2047 decoding flaw. This allowed me, with +further testing, to discover this additional crash bug. +--- + sendlib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sendlib.c b/sendlib.c +index 763bff4117f2..204b13085227 100644 +--- a/sendlib.c ++++ b/sendlib.c +@@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen, + else + { + t = strchr (start, ':'); +- if (!t || t > end) ++ if (!t || t >= end) + { + dprint (1, (debugfile, "mwoh: warning: header not in " + "'key: value' format!\n")); +-- +2.40.1 +