From owner-svn-ports-all@FreeBSD.ORG Wed Dec 10 09:58:26 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 96633C93; Wed, 10 Dec 2014 09:58:26 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 687DD6D8; Wed, 10 Dec 2014 09:58:26 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBA9wQuY077807; Wed, 10 Dec 2014 09:58:26 GMT (envelope-from rodrigo@FreeBSD.org) Received: (from rodrigo@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBA9wPOG077805; Wed, 10 Dec 2014 09:58:25 GMT (envelope-from rodrigo@FreeBSD.org) Message-Id: <201412100958.sBA9wPOG077805@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: rodrigo set sender to rodrigo@FreeBSD.org using -f From: Rodrigo Osorio Date: Wed, 10 Dec 2014 09:58:25 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r374445 - in head/mail/mutt: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2014 09:58:26 -0000 Author: rodrigo Date: Wed Dec 10 09:58:25 2014 New Revision: 374445 URL: https://svnweb.freebsd.org/changeset/ports/374445 QAT: https://qat.redports.org/buildarchive/r374445/ Log: Update for mail/mutt: Fix security vulnerability CVE-2014-9116 PR: ports/195550 Submitted by: Udo.Schweigert@siemens.com (maintainer) Obtained from: mutt MFH: 2014Q4 Added: head/mail/mutt/files/patch-CVE-2014-9116 (contents, props changed) Modified: head/mail/mutt/Makefile Modified: head/mail/mutt/Makefile ============================================================================== --- head/mail/mutt/Makefile Wed Dec 10 07:32:17 2014 (r374444) +++ head/mail/mutt/Makefile Wed Dec 10 09:58:25 2014 (r374445) @@ -3,7 +3,7 @@ PORTNAME= mutt PORTVERSION= 1.5.23 -PORTREVISION?= 6 +PORTREVISION?= 7 CATEGORIES+= mail ipv6 MASTER_SITES= ftp://ftp.mutt.org/mutt/ \ ftp://ftp.mutt.org/mutt/devel/ \ Added: head/mail/mutt/files/patch-CVE-2014-9116 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/mail/mutt/files/patch-CVE-2014-9116 Wed Dec 10 09:58:25 2014 (r374445) @@ -0,0 +1,43 @@ +# HG changeset patch +# User Kevin McCarthy +# Date 1417472364 28800 +# Mon Dec 01 14:19:24 2014 -0800 +# Branch stable +# Node ID 54c59aaf88b9f6b50f1078fc6f7551fa9315ac3e +# Parent 1b583341d5ad677c8a1935eb4110eba27606878a +Revert write_one_header() to skip space and tab. (closes #3716) + +This patch fixes CVE-2014-9116 in the stable branch. It reverts +write_one_header() to the pre [f251d523ca5a] code for skipping +whitespace. + +Thanks to Antonio Radici and Tomas Hoger for their analysis and patches +to mutt, which this patch is based off of. + +diff --git a/sendlib.c b/sendlib.c +--- sendlib.c ++++ sendlib.c +@@ -1809,17 +1809,22 @@ + { + tagbuf = NULL; + valbuf = mutt_substrdup (start, end); + } + else + { + tagbuf = mutt_substrdup (start, t); + /* skip over the colon separating the header field name and value */ +- t = skip_email_wsp(t + 1); ++ ++t; ++ ++ /* skip over any leading whitespace (WSP, as defined in RFC5322) */ ++ while (*t == ' ' || *t == '\t') ++ t++; ++ + valbuf = mutt_substrdup (t, end); + } + dprint(4,(debugfile,"mwoh: buf[%s%s] too long, " + "max width = %d > %d\n", + NONULL(pfx), valbuf, max, wraplen)); + if (fold_one_header (fp, tagbuf, valbuf, pfx, wraplen, flags) < 0) + return -1; + FREE (&tagbuf);