From 708d3ec0de9cfffc933615d92825906efacd4c6d Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 20 Jan 2021 19:35:37 -0500 Subject: gnu: Mutt: Fix CVE-2021-3181. * gnu/packages/patches/mutt-CVE-2021-3181.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/mail.scm (mutt)[source]: Use it. --- gnu/packages/patches/mutt-CVE-2021-3181.patch | 45 +++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 gnu/packages/patches/mutt-CVE-2021-3181.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/mutt-CVE-2021-3181.patch b/gnu/packages/patches/mutt-CVE-2021-3181.patch new file mode 100644 index 0000000000..df5214b052 --- /dev/null +++ b/gnu/packages/patches/mutt-CVE-2021-3181.patch @@ -0,0 +1,45 @@ +Fix CVE-2021-3181: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3181 + +Patch copied from upstream source repository: + +https://gitlab.com/muttmua/mutt/-/commit/c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 + +From c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Sun, 17 Jan 2021 10:40:37 -0800 +Subject: [PATCH] Fix memory leak parsing group address. + +When there was a group address terminator with no previous addresses, +an address would be allocated but not attached to the address list. + +Change this to only allocate when last exists. + +It would be more correct to not allocate at all unless we are inside a +group list, but I will address that in a separate commit to master. +--- + rfc822.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/rfc822.c b/rfc822.c +index 7ff4eaa3..ced619f2 100644 +--- a/rfc822.c ++++ b/rfc822.c +@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s) + #endif + + /* add group terminator */ +- cur = rfc822_new_address (); + if (last) + { +- last->next = cur; +- last = cur; ++ last->next = rfc822_new_address (); ++ last = last->next; + } + + phraselen = 0; +-- +GitLab + -- cgit v1.2.3