rpms / mutt

Clone
Source Code
GIT

Blame SOURCES/mutt-1.5.21-cve-2018-14354_cve-2018-14357.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   mutt-1.5.21-cve-2018-14354_cve-2018-14357.patch
Blob History Raw
d1e772 
From 185152818541f5cdc059cbff3f3e8b654fc27c1d Mon Sep 17 00:00:00 2001
d1e772 
From: Kevin McCarthy <kevin@8t8.us>
d1e772 
Date: Sat, 7 Jul 2018 19:03:44 -0700
d1e772 
Subject: [PATCH] Properly quote IMAP mailbox names when (un)subscribing.
d1e772
d1e772 
When handling automatic subscription (via $imap_check_subscribed), or
d1e772 
manual subscribe/unsubscribe commands, mutt generating a "mailboxes"
d1e772 
command but failed to properly escape backquotes.
d1e772
d1e772 
Thanks to Jeriko One for the detailed bug report and patch, which this
d1e772 
commit is based upon.
d1e772 
---
d1e772 
 imap/command.c      |  5 +++--
d1e772 
 imap/imap.c         |  7 +++++--
d1e772 
 imap/imap_private.h |  3 ++-
d1e772 
 imap/util.c         | 25 ++++++++++++++++++++-----
d1e772 
 4 files changed, 30 insertions(+), 10 deletions(-)
d1e772
d1e772 
diff --git a/imap/command.c b/imap/command.c
d1e772 
index c8825981..c79d4f28 100644
d1e772 
--- a/imap/command.c
d1e772 
+++ b/imap/command.c
d1e772 
@@ -842,8 +842,9 @@ static void cmd_parse_lsub (IMAP_DATA* idata, char* s)
d1e772
d1e772 
   strfcpy (buf, "mailboxes \"", sizeof (buf));
d1e772 
   mutt_account_tourl (&idata->conn->account, &url;;
d1e772 
-  /* escape \ and " */
d1e772 
-  imap_quote_string(errstr, sizeof (errstr), list.name);
d1e772 
+  /* escape \ and ". Also escape ` because the resulting
d1e772 
+   * string will be passed to mutt_parse_rc_line. */
d1e772 
+  imap_quote_string_and_backquotes (errstr, sizeof (errstr), list.name);
d1e772 
   url.path = errstr + 1;
d1e772 
   url.path[strlen(url.path) - 1] = '\0';
d1e772 
   if (!mutt_strcmp (url.user, ImapUser))
d1e772 
diff --git a/imap/imap.c b/imap/imap.c
d1e772 
index 668203b8..c3a8ffd0 100644
d1e772 
--- a/imap/imap.c
d1e772 
+++ b/imap/imap.c
d1e772 
@@ -1930,6 +1930,7 @@ int imap_subscribe (char *path, int subscribe)
d1e772 
   char buf[LONG_STRING];
d1e772 
   char mbox[LONG_STRING];
d1e772 
   char errstr[STRING];
d1e772 
+  int mblen;
d1e772 
   BUFFER err, token;
d1e772 
   IMAP_MBOX mx;
d1e772
d1e772 
@@ -1951,8 +1952,10 @@ int imap_subscribe (char *path, int subscribe)
d1e772 
     memset (&token, 0, sizeof (token));
d1e772 
     err.data = errstr;
d1e772 
     err.dsize = sizeof (errstr);
d1e772 
-    snprintf (mbox, sizeof (mbox), "%smailboxes \"%s\"",
d1e772 
-              subscribe ? "" : "un", path);
d1e772 
+    mblen = snprintf (mbox, sizeof (mbox), "%smailboxes ",
d1e772 
+                      subscribe ? "" : "un");
d1e772 
+    imap_quote_string_and_backquotes (mbox + mblen, sizeof(mbox) - mblen,
d1e772 
+                                      path);
d1e772 
     if (mutt_parse_rc_line (mbox, &token, &err))
d1e772 
       dprint (1, (debugfile, "Error adding subscribed mailbox: %s\n", errstr));
d1e772 
     FREE (&token.data);
d1e772 
diff --git a/imap/imap_private.h b/imap/imap_private.h
d1e772 
index 312fbfe4..349c5a49 100644
d1e772 
--- a/imap/imap_private.h
d1e772 
+++ b/imap/imap_private.h
d1e772 
@@ -301,7 +301,8 @@ char* imap_next_word (char* s);
d1e772 
 time_t imap_parse_date (char* s);
d1e772 
 void imap_make_date (char* buf, time_t timestamp);
d1e772 
 void imap_qualify_path (char *dest, size_t len, IMAP_MBOX *mx, char* path);
d1e772 
-void imap_quote_string (char* dest, size_t slen, const char* src);
d1e772 
+void imap_quote_string (char* dest, size_t dlen, const char* src);
d1e772 
+void imap_quote_string_and_backquotes (char *dest, size_t dlen, const char *src);
d1e772 
 void imap_unquote_string (char* s);
d1e772 
 void imap_munge_mbox_name (char *dest, size_t dlen, const char *src);
d1e772 
 void imap_unmunge_mbox_name (char *s);
d1e772 
diff --git a/imap/util.c b/imap/util.c
d1e772 
index 914c93c3..3274a70c 100644
d1e772 
--- a/imap/util.c
d1e772 
+++ b/imap/util.c
d1e772 
@@ -608,11 +608,10 @@ void imap_qualify_path (char *dest, size_t len, IMAP_MBOX *mx, char* path)
d1e772 
 }
d1e772
d1e772
d1e772 
-/* imap_quote_string: quote string according to IMAP rules:
d1e772 
- *   surround string with quotes, escape " and \ with \ */
d1e772 
-void imap_quote_string (char *dest, size_t dlen, const char *src)
d1e772 
+static void _imap_quote_string (char *dest, size_t dlen, const char *src,
d1e772 
+                                const char *to_quote)
d1e772 
 {
d1e772 
-  char quote[] = "\"\\", *pt;
d1e772 
+  char *pt;
d1e772 
   const char *s;
d1e772
d1e772 
   pt = dest;
d1e772 
@@ -625,7 +623,7 @@ void imap_quote_string (char *dest, size_t dlen, const char *src)
d1e772
d1e772 
   for (; *s && dlen; s++)
d1e772 
   {
d1e772 
-    if (strchr (quote, *s))
d1e772 
+    if (strchr (to_quote, *s))
d1e772 
     {
d1e772 
       dlen -= 2;
d1e772 
       if (!dlen)
d1e772 
@@ -643,6 +641,23 @@ void imap_quote_string (char *dest, size_t dlen, const char *src)
d1e772 
   *pt = 0;
d1e772 
 }
d1e772
d1e772 
+/* imap_quote_string: quote string according to IMAP rules:
d1e772 
+ *   surround string with quotes, escape " and \ with \ */
d1e772 
+void imap_quote_string (char *dest, size_t dlen, const char *src)
d1e772 
+{
d1e772 
+  _imap_quote_string (dest, dlen, src, "\"\\");
d1e772 
+}
d1e772 
+
d1e772 
+/* imap_quote_string_and_backquotes: quote string according to IMAP rules:
d1e772 
+ *   surround string with quotes, escape " and \ with \.
d1e772 
+ * Additionally, escape backquotes with \ to protect against code injection
d1e772 
+ * when using the resulting string in mutt_parse_rc_line().
d1e772 
+ */
d1e772 
+void imap_quote_string_and_backquotes (char *dest, size_t dlen, const char *src)
d1e772 
+{
d1e772 
+  _imap_quote_string (dest, dlen, src, "\"\\`");
d1e772 
+}
d1e772 
+
d1e772 
 /* imap_unquote_string: equally stupid unquoting routine */
d1e772 
 void imap_unquote_string (char *s)
d1e772 
 {
d1e772 
--
d1e772 
2.18.0
d1e772

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation