From 7cab1ae097f9f74fa209b20b343bf51c14cee26d Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@fedoraproject.org>
Date: May 28 2007 14:48:11 +0000
Subject: - validate msgid in APOP authentication (CVE-2007-1558)

- fix overflow in gecos field handling (CVE-2007-2683)

---

diff --git a/mutt-apopmsgid.patch b/mutt-apopmsgid.patch
new file mode 100644
index 0000000..5d86645
--- /dev/null
+++ b/mutt-apopmsgid.patch
@@ -0,0 +1,91 @@
+# HG changeset patch
+# User Brendan Cully <brendan@kublai.com>
+# Date 1175552458 25200
+# Node ID 4adb236ca78d25cd6eb4805da033a0951b62b0dd
+# Parent  e363d7a6904653f2b5acc17f6ea0da526bb63711
+Validate msgid in APOP authentication. Closes #2846
+
+diff -r e363d7a69046 -r 4adb236ca78d pop_auth.c
+--- a/pop_auth.c	Tue Apr 03 08:59:11 2007 -0700
++++ b/pop_auth.c	Mon Apr 02 15:20:58 2007 -0700
+@@ -183,6 +183,13 @@ static pop_auth_res_t pop_auth_apop (POP
+   if (!pop_data->timestamp)
+     return POP_A_UNAVAIL;
+ 
++  if (rfc822_valid_msgid (pop_data->timestamp) < 0)
++  {
++    mutt_error _("POP timestamp is invalid!");
++    mutt_sleep (2);
++    return POP_A_UNAVAIL;
++  }
++
+   mutt_message _("Authenticating (APOP)...");
+ 
+   /* Compute the authentication hash to send to the server */
+diff -r e363d7a69046 -r 4adb236ca78d rfc822.c
+--- a/rfc822.c	Tue Apr 03 08:59:11 2007 -0700
++++ b/rfc822.c	Mon Apr 02 15:20:58 2007 -0700
+@@ -792,6 +792,52 @@ ADDRESS *rfc822_append (ADDRESS **a, ADD
+   return tmp;
+ }
+ 
++/* incomplete. Only used to thwart the APOP MD5 attack (#2846). */
++int rfc822_valid_msgid (const char *msgid)
++{
++  /* msg-id         = "<" addr-spec ">"
++   * addr-spec      = local-part "@" domain
++   * local-part     = word *("." word)
++   * word           = atom / quoted-string
++   * atom           = 1*<any CHAR except specials, SPACE and CTLs>
++   * CHAR           = ( 0.-127. )
++   * specials       = "(" / ")" / "<" / ">" / "@"
++                    / "," / ";" / ":" / "\" / <">
++		    / "." / "[" / "]"
++   * SPACE          = ( 32. )
++   * CTLS           = ( 0.-31., 127.)
++   * quoted-string  = <"> *(qtext/quoted-pair) <">
++   * qtext          = <any CHAR except <">, "\" and CR>
++   * CR             = ( 13. )
++   * quoted-pair    = "\" CHAR
++   * domain         = sub-domain *("." sub-domain)
++   * sub-domain     = domain-ref / domain-literal
++   * domain-ref     = atom
++   * domain-literal = "[" *(dtext / quoted-pair) "]"
++   */
++
++  char* dom;
++  unsigned int l, i;
++
++  if (!msgid || !*msgid)
++    return -1;
++
++  l = mutt_strlen (msgid);
++  if (l < 5) /* <atom@atom> */
++    return -1;
++  if (msgid[0] != '<' || msgid[l-1] != '>')
++    return -1;
++  if (!(dom = strrchr (msgid, '@')))
++    return -1;
++
++  /* TODO: complete parser */
++  for (i = 0; i < l; i++)
++    if ((unsigned char)msgid[i] > 127)
++      return -1;
++
++  return 0;
++}
++
+ #ifdef TESTING
+ int safe_free (void **p)	/* __SAFE_FREE_CHECKED__ */
+ {
+diff -r e363d7a69046 -r 4adb236ca78d rfc822.h
+--- a/rfc822.h	Tue Apr 03 08:59:11 2007 -0700
++++ b/rfc822.h	Mon Apr 02 15:20:58 2007 -0700
+@@ -52,6 +52,7 @@ void rfc822_write_address_single (char *
+ void rfc822_write_address_single (char *, size_t, ADDRESS *, int);
+ void rfc822_free_address (ADDRESS **addr);
+ void rfc822_cat (char *, size_t, const char *, const char *);
++int rfc822_valid_msgid (const char *msgid);
+ 
+ extern int RFC822Error;
+ extern const char *RFC822Errors[];
diff --git a/mutt-gecos.patch b/mutt-gecos.patch
new file mode 100644
index 0000000..0b10087
--- /dev/null
+++ b/mutt-gecos.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Brendan Cully <brendan@kublai.com>
+# Date 1178561955 25200
+# Node ID 47d08903b79b78ce26516de97682b244d3573c47
+# Parent  f6861b85f22b1656a870aeabad83a1bbd9794af9
+Use signed arithmetic in mutt_gecos_name to avoid an overflow.
+Closes #2885.
+
+diff -r f6861b85f22b -r 47d08903b79b muttlib.c
+--- a/muttlib.c	Wed May 02 10:50:07 2007 -0700
++++ b/muttlib.c	Mon May 07 11:19:15 2007 -0700
+@@ -540,7 +540,7 @@ char *mutt_gecos_name (char *dest, size_
+     if (dest[idx] == '&')
+     {
+       memmove (&dest[idx + pwnl], &dest[idx + 1],
+-	       MAX(destlen - idx - pwnl - 1, 0));
++	       MAX((ssize_t)(destlen - idx - pwnl - 1), 0));
+       memcpy (&dest[idx], pw->pw_name, MIN(destlen - idx - 1, pwnl));
+       dest[idx] = toupper ((unsigned char) dest[idx]);
+     }
diff --git a/mutt.spec b/mutt.spec
index 3cd3a6a..c6ebcfb 100644
--- a/mutt.spec
+++ b/mutt.spec
@@ -1,7 +1,7 @@
 Summary: A text mode mail user agent
 Name: mutt
 Version: 1.5.14
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 5
 License: GPL
 Group: Applications/Internet
@@ -15,6 +15,8 @@ Patch4: mutt-1.5.13-manual.patch
 Patch5: urlview-0.9-default.patch
 Patch6: urlview.diff
 Patch7: mutt-1.5.14-checkmboxsize.patch
+Patch8: mutt-apopmsgid.patch
+Patch9: mutt-gecos.patch
 Url: http://www.mutt.org/
 Requires: /usr/sbin/sendmail webclient mailcap
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -39,6 +41,8 @@ you are going to use.
 %patch5 -p0 -b .default
 %patch6 -p0 -b .build
 %patch7 -p1 -b .checkmboxsize
+%patch8 -p1 -b .apopmsgid
+%patch9 -p1 -b .gecos
 
 install -p -m644 %{SOURCE1} mutt_ldap_query
 
@@ -117,6 +121,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/muttrc.*
 
 %changelog
+* Mon May 28 2007 Miroslav Lichvar <mlichvar@redhat.com> 5:1.5.14-4
+- validate msgid in APOP authentication (CVE-2007-1558)
+- fix overflow in gecos field handling (CVE-2007-2683)
+
 * Mon Mar 19 2007 Miroslav Lichvar <mlichvar@redhat.com> 5:1.5.14-3
 - fix building