~ruther/guix-local

d82633d06a0b7f24e98f12a2686c1ffdf12f5cd3 — Andreas Enge 10 years ago 1268e52 
gnu: mutt: Update to 1.5.24.

* gnu/packages/patches/mutt-CVE-2014-9116.patch: Delete file.
* gnu/packages/mail.scm (mutt): Update to 1.5.24.
  [source]: Update and remove patch.
* gnu-system.am (dist_patch_DATA): Unregister removed patch.
patch browse .tar.gz 
3 files changed, 5 insertions(+), 58 deletions(-)

M gnu-system.am
M gnu/packages/mail.scm
D gnu/packages/patches/mutt-CVE-2014-9116.patch

M gnu-system.am => gnu-system.am +0 -1
@@ 567,7 567,6 @@ dist_patch_DATA =						\
  gnu/packages/patches/module-init-tools-moduledir.patch	\
  gnu/packages/patches/mumps-build-parallelism.patch		\
  gnu/packages/patches/mupdf-buildsystem-fix.patch		\
  gnu/packages/patches/mutt-CVE-2014-9116.patch			\
  gnu/packages/patches/mutt-store-references.patch		\
  gnu/packages/patches/net-tools-bitrot.patch			\
  gnu/packages/patches/ngircd-handle-zombies.patch		\


M gnu/packages/mail.scm => gnu/packages/mail.scm +5 -11
@@ 171,21 171,15 @@ aliasing facilities to work just as they would on normal mail.")
(define-public mutt
  (package
    (name "mutt")
    (version "1.5.23")
    (version "1.5.24")
    (source (origin
             (method url-fetch)
             (uri (list ;; Temporarily put bitbucket first, because
                        ;; ftp.mutt.org has been down for a while.
                        (string-append "https://bitbucket.org/mutt/mutt/downloads/mutt-"
                                       version ".tar.gz")
                        (string-append "ftp://ftp.mutt.org/mutt/devel/mutt-"
                                       version ".tar.gz")))
             (uri (string-append "ftp://ftp.mutt.org/pub/mutt/mutt-"
                                 version ".tar.gz"))
             (sha256
              (base32
               "0dzx4qk50pjfsb6cs5jahng96a52k12f7pm0sc78iqdrawg71w1s"))
             (patches (map search-patch
                           '("mutt-CVE-2014-9116.patch"
                             "mutt-store-references.patch")))))
               "0012njrgxf1barjksqkx7ccid2l0xyikhna9mjs9vcfpbrvcm4m2"))
             (patches (list (search-patch "mutt-store-references.patch")))))
    (build-system gnu-build-system)
    (inputs
     `(("cyrus-sasl" ,cyrus-sasl)


D gnu/packages/patches/mutt-CVE-2014-9116.patch => gnu/packages/patches/mutt-CVE-2014-9116.patch +0 -46
@@ 1,46 0,0 @@
Fix CVE-2014-9116.  Copied from Debian:

This patch solves the issue raised by CVE-2014-9116 in bug 771125.

We correctly redefine what are the whitespace characters as per RFC5322; by
doing so we prevent mutt_substrdup from being used in a way that could lead to
a segfault.

The lib.c part was written by Antonio Radici <antonio@debian.org> to prevent
crashes due to this kind of bugs from happening again.

The wheezy version of this patch is slightly different, therefore this patch
has -jessie prefixed in its name.

The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as
the upstream patch reported here:
http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch

--- a/lib.c
+++ b/lib.c
@@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin,
   size_t len;
   char *p;
 
+  if (end != NULL && end < begin)
+    return NULL;
+
   if (end)
     len = end - begin;
   else
--- a/sendlib.c
+++ b/sendlib.c
@@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i
     {
       tagbuf = mutt_substrdup (start, t);
       /* skip over the colon separating the header field name and value */
-      t = skip_email_wsp(t + 1);
+      ++t;
+
+      /* skip over any leading whitespace (WSP, as defined in RFC5322) */
+      while (*t == ' ' || *t == '\t')
+        t++;
+
       valbuf = mutt_substrdup (t, end);
     }
     dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "