On Sun, Nov 30, 2014 at 11:42:19AM -0800, Kevin J. McCarthy wrote: > [Michael, Brendan: your input and insight would be greatly appreciated] > Debian's proposed patch is at: > http://anonscm.debian.org/cgit/pkg-mutt/mutt.git/diff/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch > > This fix changes WSP to consist of space, tab, and newline only. It > also changes mutt_substrdup() to check for end < begin. > > The first change, while fixing the logic error causing the CVE, may > cause problems with all the other calls to skip_email_wsp() that relied > on a broad definition of whitespace. I don't know - there are too many > calls and I'm not familiar enough with all the code to know. > > The second change may or may not be palatable to the core devs. It > stops a segfault, but hides a logic error. > > It looks like the quickest change would be to revert sendlib.c back to > using: > while (*t == ' ' || *t == '\t') > t++; > > Long term, it would be better create two functions: a strict WSP and a > loose whitespace one, and tease apart what needs which. > > Comments?
Hi Kevin, thanks for the write up, just wanted to integrate a bit on the Debian side: the patch that we applied to wheezy (the supported distribution for security purposes and the current stable) is the one you quoted at the end of your mail, i.e. we reverted sendlib.c back to using what was there and removed SKIPWS(). For jessie, at the moment I've modified skip_email_wsp() but I'm willing to change it if there is a better solution; jessie is not the current stable at the moment so there is still time to provide a better patch. Two notes though: (a) the patch to lib.c is vital to prevent mutt_substrdup() from segfaulting, it might as well hide a logic error from the caller but the function itself should be solid enough not to trust pointers blindly (b) the definition of WSP is certainly not the one in the RFC, even if the comment next to it says so, so that should be changed, I understand that there are many calls to skip_email_wsp() but the problem needs to be addressed at some stage. Cheers Antonio
