changeset: 6385:0aebf1df4359
user: Kevin McCarthy <[email protected]>
date: Mon Dec 01 14:19:24 2014 -0800
link: http://dev.mutt.org/hg/mutt/rev/0aebf1df4359
Revert write_one_header() to skip space and tab. (closes #3716)
This patch fixes CVE-2014-9116 in the stable branch. It reverts
write_one_header() to the pre [f251d523ca5a] code for skipping
whitespace.
Thanks to Antonio Radici and Tomas Hoger for their analysis and patches
to mutt, which this patch is based off of.
diffs (19 lines):
diff -r 5a86319adad0 -r 0aebf1df4359 sendlib.c
--- a/sendlib.c Mon Jan 05 18:28:59 2015 -0800
+++ b/sendlib.c Mon Dec 01 14:19:24 2014 -0800
@@ -1814,7 +1814,14 @@
{
tagbuf = mutt_substrdup (start, t);
/* skip over the colon separating the header field name and value */
- t = skip_email_wsp(t + 1);
+ ++t;
+
+ /* skip over any leading whitespace (WSP, as defined in RFC5322)
+ * NOTE: skip_email_wsp() does the wrong thing here.
+ * See tickets 3609 and 3716. */
+ while (*t == ' ' || *t == '\t')
+ t++;
+
valbuf = mutt_substrdup (t, end);
}
dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
