Antonio Radici wrote: > On Sun, Nov 30, 2014 at 11:42:19AM -0800, Kevin J. McCarthy wrote: > > [Michael, Brendan: your input and insight would be greatly appreciated] > > Debian's proposed patch is at: > > http://anonscm.debian.org/cgit/pkg-mutt/mutt.git/diff/debian/patches/upstream/771125-CVE-2014-9116-jessie.patch > > > > This fix changes WSP to consist of space, tab, and newline only. It
Ooops sorry that should have been space, tab, and \r. > > also changes mutt_substrdup() to check for end < begin. > > > For jessie, at the moment I've modified skip_email_wsp() but I'm willing to > change it if there is a better solution; jessie is not the current stable at > the > moment so there is still time to provide a better patch. Well, this is just my opinion, but I think it would be safer to use the wheezy method for the jessie patch too: reverting to the tab and space scan (inside write_one_header()). Removing \n from WSP impacts a lot of callers... As for the mutt_substrdup() patch, in general I agree something should be done there. I can think of several options: returning NULL, setting len=0 (and so returning a malloced ""), aborting (as thoger mentioned). In general, mutt checks NULLs pretty well, but returning NULL from mutt_substrdup() isn't without risk of just generating a segfault in another place. So personally I would vote for the second or third choice. -Kevin
signature.asc
Description: PGP signature
