Control: tags 988106 + patch Control: tags 988106 + pending
Dear maintainer, I've prepared an NMU for mutt (versioned as 2.0.5-4.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog --- mutt-2.0.5/debian/changelog 2021-03-20 17:26:12.000000000 +0100 +++ mutt-2.0.5/debian/changelog 2021-06-06 21:11:36.000000000 +0200 @@ -1,3 +1,11 @@ +mutt (2.0.5-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix seqset iterator when it ends in a comma (CVE-2021-32055) + (Closes: #988106) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 06 Jun 2021 21:11:36 +0200 + mutt (2.0.5-4) unstable; urgency=medium * debian/patches: diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series --- mutt-2.0.5/debian/patches/series 2021-03-20 17:24:06.000000000 +0100 +++ mutt-2.0.5/debian/patches/series 2021-06-06 21:11:36.000000000 +0200 @@ -13,3 +13,4 @@ upstream/528233-readonly-open.patch upstream/980924-updated-german-translation.patch upstream/985152-body-color-slowness.patch +upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch diff -Nru mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch --- mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch 2021-06-06 21:11:36.000000000 +0200 @@ -0,0 +1,39 @@ +From: Kevin McCarthy <ke...@8t8.us> +Date: Mon, 3 May 2021 13:11:30 -0700 +Subject: Fix seqset iterator when it ends in a comma. +Origin: https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5 +Bug-Debian: https://bugs.debian.org/988106 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32055 + +If the seqset ended with a comma, the substr_end marker would be just +before the trailing nul. In the next call, the loop to skip the +marker would iterate right past the end of string too. + +The fix is simple: place the substr_end marker and skip past it +immediately. +--- + imap/util.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/imap/util.c b/imap/util.c +index c529fd8fba3c..488e8396d269 100644 +--- a/imap/util.c ++++ b/imap/util.c +@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, unsigned int *next) + if (iter->substr_cur == iter->eostr) + return 1; + +- while (!*(iter->substr_cur)) +- iter->substr_cur++; + iter->substr_end = strchr (iter->substr_cur, ','); + if (!iter->substr_end) + iter->substr_end = iter->eostr; + else +- *(iter->substr_end) = '\0'; ++ *(iter->substr_end++) = '\0'; + + range_sep = strchr (iter->substr_cur, ':'); + if (range_sep) +-- +2.32.0.rc0 +
