1 files changed, 45 insertions, 0 deletions

diff --git a/gnu/packages/patches/mutt-CVE-2021-3181.patch b/gnu/packages/patches/mutt-CVE-2021-3181.patch
new file mode 100644
index 0000000000..df5214b052
--- /dev/null
+++ b/gnu/packages/patches/mutt-CVE-2021-3181.patch
@@ -0,0 +1,45 @@
+Fix CVE-2021-3181:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3181
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/muttmua/mutt/-/commit/c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545
+
+From c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 17 Jan 2021 10:40:37 -0800
+Subject: [PATCH] Fix memory leak parsing group address.
+
+When there was a group address terminator with no previous addresses,
+an address would be allocated but not attached to the address list.
+
+Change this to only allocate when last exists.
+
+It would be more correct to not allocate at all unless we are inside a
+group list, but I will address that in a separate commit to master.
+---
+ rfc822.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/rfc822.c b/rfc822.c
+index 7ff4eaa3..ced619f2 100644
+--- a/rfc822.c
++++ b/rfc822.c
+@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s)
+ #endif
+ 
+       /* add group terminator */
+-      cur = rfc822_new_address ();
+       if (last)
+       {
+-	last->next = cur;
+-	last = cur;
++	last->next = rfc822_new_address ();
++	last = last->next;
+       }
+ 
+       phraselen = 0;
+-- 
+GitLab
+