diff options
-rw-r--r-- | community/mutt/APKBUILD | 10 | ||||
-rw-r--r-- | community/mutt/CVE-2021-3181.patch | 37 |
2 files changed, 44 insertions, 3 deletions
diff --git a/community/mutt/APKBUILD b/community/mutt/APKBUILD index 6ad0a9cd4f2..addeb7035d5 100644 --- a/community/mutt/APKBUILD +++ b/community/mutt/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Andrew Manison <amanison@anselsystems.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mutt -pkgver=1.14.4 +pkgver=1.14.7 pkgrel=0 pkgdesc="Small and very powerful text-mode email client" url="http://www.mutt.org" @@ -12,9 +12,12 @@ makedepends="cyrus-sasl-dev gdbm-dev gettext-dev gpgme-dev libidn-dev ncurses-dev openssl-dev perl" options="suid !check" subpackages="$pkgname-doc $pkgname-lang" -source="https://bitbucket.org/mutt/mutt/downloads/mutt-$pkgver.tar.gz" +source="https://bitbucket.org/mutt/mutt/downloads/mutt-$pkgver.tar.gz + CVE-2021-3181.patch" # secfixes: +# 1.14.7-r0: +# - CVE-2021-3181 # 1.14.4-r0: # - CVE-2020-14093 @@ -56,4 +59,5 @@ package() { "$pkgdir"/etc/Muttrc.gpg.dist } -sha512sums="86484f009ca8bd1e26206694e03609a16f8a4e8c83620a07a4376fe160535a838e8c918a8a30799fb3d9cf46c059d67124f7425c42093fb5e5bf8ea4ac310daa mutt-1.14.4.tar.gz" +sha512sums="dc9739b5f0a99ca70fcbd495c71fbead23e3481f9c9e426feb827997c9c42e5f28355084f54788820c96a079dedb649fcc20e69436fb3c4df7e46f372b533e7c mutt-1.14.7.tar.gz +adfba1eaff2c5e7b046bf1ae42a472a13ca5b2efca525bca5aede84715899e8b1fb7c8d97b9c88f3688c36413c8789895e714d16616b8182e4543148bf743c21 CVE-2021-3181.patch" diff --git a/community/mutt/CVE-2021-3181.patch b/community/mutt/CVE-2021-3181.patch new file mode 100644 index 00000000000..6fc494a2231 --- /dev/null +++ b/community/mutt/CVE-2021-3181.patch @@ -0,0 +1,37 @@ +From c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy <kevin@8t8.us> +Date: Sun, 17 Jan 2021 10:40:37 -0800 +Subject: [PATCH] Fix memory leak parsing group address. + +When there was a group address terminator with no previous addresses, +an address would be allocated but not attached to the address list. + +Change this to only allocate when last exists. + +It would be more correct to not allocate at all unless we are inside a +group list, but I will address that in a separate commit to master. +--- + rfc822.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/rfc822.c b/rfc822.c +index 7ff4eaa3..ced619f2 100644 +--- a/rfc822.c ++++ b/rfc822.c +@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s) + #endif + + /* add group terminator */ +- cur = rfc822_new_address (); + if (last) + { +- last->next = cur; +- last = cur; ++ last->next = rfc822_new_address (); ++ last = last->next; + } + + phraselen = 0; +-- +GitLab + |