Fix CVE-2014-9116. Copied from Debian: This patch solves the issue raised by CVE-2014-9116 in bug 771125. We correctly redefine what are the whitespace characters as per RFC5322; by doing so we prevent mutt_substrdup from being used in a way that could lead to a segfault. The lib.c part was written by Antonio Radici to prevent crashes due to this kind of bugs from happening again. The wheezy version of this patch is slightly different, therefore this patch has -jessie prefixed in its name. The sendlib.c part was provided by Salvatore Bonaccorso and it is the same as the upstream patch reported here: http://dev.mutt.org/trac/attachment/ticket/3716/ticket-3716-stable.patch --- a/lib.c +++ b/lib.c @@ -815,6 +815,9 @@ char *mutt_substrdup (const char *begin, size_t len; char *p; + if (end != NULL && end < begin) + return NULL; + if (end) len = end - begin; else --- a/sendlib.c +++ b/sendlib.c @@ -1814,7 +1814,12 @@ static int write_one_header (FILE *fp, i { tagbuf = mutt_substrdup (start, t); /* skip over the colon separating the header field name and value */ - t = skip_email_wsp(t + 1); + ++t; + + /* skip over any leading whitespace (WSP, as defined in RFC5322) */ + while (*t == ' ' || *t == '\t') + t++; + valbuf = mutt_substrdup (t, end); } dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "