Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id
<2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1010058,
regarding bullseye-pu: package mutt/2.0.5-4.1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1010058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010058
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected],[email protected]
Hi SRM'ers, hi Antonio
I prepared an update for mutt, fixing CVE-2022-1328, a buffer-overflow
in uudecoder.
Performed a manual test with the poc mbox provided by Tavis in
https://gitlab.com/muttmua/mutt/-/issues/404 .
Attached is the debdiff respectively for the upload.
Regards,
Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog
--- mutt-2.0.5/debian/changelog 2021-06-06 21:11:36.000000000 +0200
+++ mutt-2.0.5/debian/changelog 2022-04-23 14:44:09.000000000 +0200
@@ -1,3 +1,10 @@
+mutt (2.0.5-4.1+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix uudecode buffer overflow (CVE-2022-1328) (Closes: #1009734)
+
+ -- Salvatore Bonaccorso <[email protected]> Sat, 23 Apr 2022 14:44:09 +0200
+
mutt (2.0.5-4.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series
--- mutt-2.0.5/debian/patches/series 2021-06-06 21:11:36.000000000 +0200
+++ mutt-2.0.5/debian/patches/series 2022-04-23 14:44:09.000000000 +0200
@@ -14,3 +14,4 @@
upstream/980924-updated-german-translation.patch
upstream/985152-body-color-slowness.patch
upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
+upstream/Fix-uudecode-buffer-overflow.patch
diff -Nru mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch
mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch
--- mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch
1970-01-01 01:00:00.000000000 +0100
+++ mutt-2.0.5/debian/patches/upstream/Fix-uudecode-buffer-overflow.patch
2022-04-23 14:44:09.000000000 +0200
@@ -0,0 +1,43 @@
+From: Kevin McCarthy <[email protected]>
+Date: Tue, 5 Apr 2022 11:05:52 -0700
+Subject: Fix uudecode buffer overflow.
+Origin:
https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5
+Bug: https://gitlab.com/muttmua/mutt/-/issues/404
+Bug-Debian: https://bugs.debian.org/1009734
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-1328
+
+mutt_decode_uuencoded() used each line's initial "length character"
+without any validation. It would happily read past the end of the
+input line, and with a suitable value even past the length of the
+input buffer.
+
+As I noted in ticket 404, there are several other changes that could
+be added to make the parser more robust. However, to avoid
+accidentally introducing another bug or regression, I'm restricting
+this patch to simply addressing the overflow.
+
+Thanks to Tavis Ormandy for reporting the issue, along with a sample
+message demonstrating the problem.
+---
+ handler.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/handler.c b/handler.c
+index d1b4bc73a58f..c97cf0cb527e 100644
+--- a/handler.c
++++ b/handler.c
+@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len,
int istext, iconv_t cd)
+ pt = tmps;
+ linelen = decode_byte (*pt);
+ pt++;
+- for (c = 0; c < linelen;)
++ for (c = 0; c < linelen && *pt;)
+ {
+- for (l = 2; l <= 6; l += 2)
++ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
+ {
+ out = decode_byte (*pt) << l;
+ pt++;
+--
+2.35.2
+
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.4
(re-sending with fixed bug numbers)
Hi,
The updates discussed in these bugs were included in today's bullseye
point release.
Regards,
Adam
--- End Message ---
