aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/mutt/APKBUILD10
-rw-r--r--community/mutt/CVE-2021-3181.patch37
2 files changed, 44 insertions, 3 deletions
diff --git a/community/mutt/APKBUILD b/community/mutt/APKBUILD
index 6ad0a9cd4f2..addeb7035d5 100644
--- a/community/mutt/APKBUILD
+++ b/community/mutt/APKBUILD
@@ -2,7 +2,7 @@
# Contributor: Andrew Manison <amanison@anselsystems.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mutt
-pkgver=1.14.4
+pkgver=1.14.7
pkgrel=0
pkgdesc="Small and very powerful text-mode email client"
url="http://www.mutt.org"
@@ -12,9 +12,12 @@ makedepends="cyrus-sasl-dev gdbm-dev gettext-dev gpgme-dev
libidn-dev ncurses-dev openssl-dev perl"
options="suid !check"
subpackages="$pkgname-doc $pkgname-lang"
-source="https://bitbucket.org/mutt/mutt/downloads/mutt-$pkgver.tar.gz"
+source="https://bitbucket.org/mutt/mutt/downloads/mutt-$pkgver.tar.gz
+ CVE-2021-3181.patch"
# secfixes:
+# 1.14.7-r0:
+# - CVE-2021-3181
# 1.14.4-r0:
# - CVE-2020-14093
@@ -56,4 +59,5 @@ package() {
"$pkgdir"/etc/Muttrc.gpg.dist
}
-sha512sums="86484f009ca8bd1e26206694e03609a16f8a4e8c83620a07a4376fe160535a838e8c918a8a30799fb3d9cf46c059d67124f7425c42093fb5e5bf8ea4ac310daa mutt-1.14.4.tar.gz"
+sha512sums="dc9739b5f0a99ca70fcbd495c71fbead23e3481f9c9e426feb827997c9c42e5f28355084f54788820c96a079dedb649fcc20e69436fb3c4df7e46f372b533e7c mutt-1.14.7.tar.gz
+adfba1eaff2c5e7b046bf1ae42a472a13ca5b2efca525bca5aede84715899e8b1fb7c8d97b9c88f3688c36413c8789895e714d16616b8182e4543148bf743c21 CVE-2021-3181.patch"
diff --git a/community/mutt/CVE-2021-3181.patch b/community/mutt/CVE-2021-3181.patch
new file mode 100644
index 00000000000..6fc494a2231
--- /dev/null
+++ b/community/mutt/CVE-2021-3181.patch
@@ -0,0 +1,37 @@
+From c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 17 Jan 2021 10:40:37 -0800
+Subject: [PATCH] Fix memory leak parsing group address.
+
+When there was a group address terminator with no previous addresses,
+an address would be allocated but not attached to the address list.
+
+Change this to only allocate when last exists.
+
+It would be more correct to not allocate at all unless we are inside a
+group list, but I will address that in a separate commit to master.
+---
+ rfc822.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/rfc822.c b/rfc822.c
+index 7ff4eaa3..ced619f2 100644
+--- a/rfc822.c
++++ b/rfc822.c
+@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s)
+ #endif
+
+ /* add group terminator */
+- cur = rfc822_new_address ();
+ if (last)
+ {
+- last->next = cur;
+- last = cur;
++ last->next = rfc822_new_address ();
++ last = last->next;
+ }
+
+ phraselen = 0;
+--
+GitLab
+