|
Line 0
Link Here
|
|
|
1 |
# HG changeset patch |
| 2 |
# User Kevin McCarthy <kevin@8t8.us> |
| 3 |
# Date 1417472364 28800 |
| 4 |
# Mon Dec 01 14:19:24 2014 -0800 |
| 5 |
# Branch stable |
| 6 |
# Node ID 54c59aaf88b9f6b50f1078fc6f7551fa9315ac3e |
| 7 |
# Parent 1b583341d5ad677c8a1935eb4110eba27606878a |
| 8 |
Revert write_one_header() to skip space and tab. (closes #3716) |
| 9 |
|
| 10 |
This patch fixes CVE-2014-9116 in the stable branch. It reverts |
| 11 |
write_one_header() to the pre [f251d523ca5a] code for skipping |
| 12 |
whitespace. |
| 13 |
|
| 14 |
Thanks to Antonio Radici and Tomas Hoger for their analysis and patches |
| 15 |
to mutt, which this patch is based off of. |
| 16 |
|
| 17 |
diff --git a/sendlib.c b/sendlib.c |
| 18 |
--- sendlib.c |
| 19 |
+++ sendlib.c |
| 20 |
@@ -1809,17 +1809,22 @@ |
| 21 |
{ |
| 22 |
tagbuf = NULL; |
| 23 |
valbuf = mutt_substrdup (start, end); |
| 24 |
} |
| 25 |
else |
| 26 |
{ |
| 27 |
tagbuf = mutt_substrdup (start, t); |
| 28 |
/* skip over the colon separating the header field name and value */ |
| 29 |
- t = skip_email_wsp(t + 1); |
| 30 |
+ ++t; |
| 31 |
+ |
| 32 |
+ /* skip over any leading whitespace (WSP, as defined in RFC5322) */ |
| 33 |
+ while (*t == ' ' || *t == '\t') |
| 34 |
+ t++; |
| 35 |
+ |
| 36 |
valbuf = mutt_substrdup (t, end); |
| 37 |
} |
| 38 |
dprint(4,(debugfile,"mwoh: buf[%s%s] too long, " |
| 39 |
"max width = %d > %d\n", |
| 40 |
NONULL(pfx), valbuf, max, wraplen)); |
| 41 |
if (fold_one_header (fp, tagbuf, valbuf, pfx, wraplen, flags) < 0) |
| 42 |
return -1; |
| 43 |
FREE (&tagbuf); |