[Michael, Brendan: your input and insight would be greatly appreciated] A good writeup of this is at https://bugzilla.redhat.com/show_bug.cgi?id=1168463.
As stated there, the changeset introducing the problem was at http://dev.mutt.org/trac/changeset/f251d523ca5a. The changeset is a bit confusing to me. It introduces a function skip_email_wsp() and declares the "WSP as defined by RFC5322". Yet though the RFC specifies WSP to consist of space and tab only, the new skip_email_wsp() also skips \r and \n. Meanwhile, this new function is swapped into: 1. Code that used to rely on SKIPWS, which in lib.h includes space, tab, \r, \n, along with \f and \v. 2. Code in rfc822.c that used to rely on a strict definition of WSP (rfc822.c redefined SKIPWS). 3. Code in sendlib.c that used to explicitly check for space and \t. Debian's proposed patch is at: http://anonscm.debian.org/cgit/pkg-mutt/mutt.git/diff/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch This fix changes WSP to consist of space, tab, and newline only. It also changes mutt_substrdup() to check for end < begin. The first change, while fixing the logic error causing the CVE, may cause problems with all the other calls to skip_email_wsp() that relied on a broad definition of whitespace. I don't know - there are too many calls and I'm not familiar enough with all the code to know. The second change may or may not be palatable to the core devs. It stops a segfault, but hides a logic error. It looks like the quickest change would be to revert sendlib.c back to using: while (*t == ' ' || *t == '\t') t++; Long term, it would be better create two functions: a strict WSP and a loose whitespace one, and tease apart what needs which. Comments? -Kevin
signature.asc
Description: PGP signature
