From 20b3902931adebc2dcb2a4c9693c0c7112fb3da3 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Mon, 1 Dec 2014 14:19:24 -0800
Subject: [PATCH] Revert write_one_header() to skip space and tab.  (closes
 #3716)

This patch fixes CVE-2014-9116 in the stable branch.  It reverts
write_one_header() to the pre [f251d523ca5a] code for skipping
whitespace.

Thanks to Antonio Radici and Tomas Hoger for their analysis and patches
to mutt, which this patch is based off of.
---
 sendlib.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sendlib.c b/sendlib.c
index cede8534..f364f9f1 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -1814,7 +1814,14 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
     {
       tagbuf = mutt_substrdup (start, t);
       /* skip over the colon separating the header field name and value */
-      t = skip_email_wsp(t + 1);
+      ++t;
+
+      /* skip over any leading whitespace (WSP, as defined in RFC5322)
+       * NOTE: skip_email_wsp() does the wrong thing here.
+       *       See tickets 3609 and 3716. */
+      while (*t == ' ' || *t == '\t')
+        t++;
+
       valbuf = mutt_substrdup (t, end);
     }
     dprint(4,(debugfile,"mwoh: buf[%s%s] too long, "
-- 
2.40.0