diff -Nru mutt-1.13.2/debian/changelog mutt-1.13.2/debian/changelog --- mutt-1.13.2/debian/changelog 2021-01-21 16:04:42.000000000 +0000 +++ mutt-1.13.2/debian/changelog 2022-04-19 14:15:19.000000000 +0000 @@ -1,3 +1,15 @@ +mutt (1.13.2-1ubuntu0.5) focal-security; urgency=medium + + * SECURITY UPDATE: OOB read + - debian/patches/CVE-2021-32055.patch: fix seqset iterator when + it ends in a comma in imap/util.c. + - CVE-2021-32055 + * SECURITY UPDATE: Buffer overflow + - debian/patches/CVE-2022-1328.patch: Fix uudecode in handler.c. + - CVE-2022-1328 + + -- Leonidas Da Silva Barbosa Tue, 19 Apr 2022 11:15:19 -0300 + mutt (1.13.2-1ubuntu0.4) focal-security; urgency=medium * SECURITY UPDATE: Denial of service diff -Nru mutt-1.13.2/debian/patches/CVE-2021-32055.patch mutt-1.13.2/debian/patches/CVE-2021-32055.patch --- mutt-1.13.2/debian/patches/CVE-2021-32055.patch 1970-01-01 00:00:00.000000000 +0000 +++ mutt-1.13.2/debian/patches/CVE-2021-32055.patch 2022-04-19 14:10:12.000000000 +0000 @@ -0,0 +1,37 @@ +From 7c4779ac24d2fb68a2a47b58c7904118f40965d5 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Mon, 3 May 2021 13:11:30 -0700 +Subject: [PATCH] Fix seqset iterator when it ends in a comma. + +If the seqset ended with a comma, the substr_end marker would be just +before the trailing nul. In the next call, the loop to skip the +marker would iterate right past the end of string too. + +The fix is simple: place the substr_end marker and skip past it +immediately. +--- + imap/util.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/imap/util.c b/imap/util.c +index c529fd8f..488e8396 100644 +--- a/imap/util.c ++++ b/imap/util.c +@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, unsigned int *next) + if (iter->substr_cur == iter->eostr) + return 1; + +- while (!*(iter->substr_cur)) +- iter->substr_cur++; + iter->substr_end = strchr (iter->substr_cur, ','); + if (!iter->substr_end) + iter->substr_end = iter->eostr; + else +- *(iter->substr_end) = '\0'; ++ *(iter->substr_end++) = '\0'; + + range_sep = strchr (iter->substr_cur, ':'); + if (range_sep) +-- +GitLab + diff -Nru mutt-1.13.2/debian/patches/CVE-2022-1328.patch mutt-1.13.2/debian/patches/CVE-2022-1328.patch --- mutt-1.13.2/debian/patches/CVE-2022-1328.patch 1970-01-01 00:00:00.000000000 +0000 +++ mutt-1.13.2/debian/patches/CVE-2022-1328.patch 2022-04-19 14:10:22.000000000 +0000 @@ -0,0 +1,37 @@ +From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Tue, 5 Apr 2022 11:05:52 -0700 +Subject: [PATCH] Fix uudecode buffer overflow. + +mutt_decode_uuencoded() used each line's initial "length character" +without any validation. It would happily read past the end of the +input line, and with a suitable value even past the length of the +input buffer. + +As I noted in ticket 404, there are several other changes that could +be added to make the parser more robust. However, to avoid +accidentally introducing another bug or regression, I'm restricting +this patch to simply addressing the overflow. + +Thanks to Tavis Ormandy for reporting the issue, along with a sample +message demonstrating the problem. +--- + handler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: mutt-1.13.2/handler.c +=================================================================== +--- mutt-1.13.2.orig/handler.c ++++ mutt-1.13.2/handler.c +@@ -403,9 +403,9 @@ static void mutt_decode_uuencoded (STATE + pt = tmps; + linelen = decode_byte (*pt); + pt++; +- for (c = 0; c < linelen;) ++ for (c = 0; c < linelen && *pt;) + { +- for (l = 2; l <= 6; l += 2) ++ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2) + { + out = decode_byte (*pt) << l; + pt++; diff -Nru mutt-1.13.2/debian/patches/series mutt-1.13.2/debian/patches/series --- mutt-1.13.2/debian/patches/series 2021-01-21 16:01:51.000000000 +0000 +++ mutt-1.13.2/debian/patches/series 2022-04-19 14:10:18.000000000 +0000 @@ -18,3 +18,5 @@ CVE-2021-3181-1.patch CVE-2021-3181-2.patch CVE-2021-3181-3.patch +CVE-2021-32055.patch +CVE-2022-1328.patch