Bug 47521 – mutt: Multiple issues (4.2)

Bug 47521 - mutt: Multiple issues (4.2)


Summary:	mutt: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.2-4-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-09 10:17 CEST by Quality Assurance
Modified:	2018-08-15 16:19 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2018-08-09 10:17:30 CEST

New Debian mutt 1.5.23-3+deb8u1 fixes:
This update addresses the following issue(s):
* 
CVE_2007-1268 is open
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message. (CVE-2018-14349)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long INTERNALDATE field. (CVE-2018-14350)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size. (CVE-2018-14351)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c does not leave room for quote characters, leading to a stack-based buffer overflow. (CVE-2018-14352)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c has an integer underflow. (CVE-2018-14353)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription. (CVE-2018-14354)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/util.c mishandles ".." directory traversal in a mailbox name. (CVE-2018-14355)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID. (CVE-2018-14356)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription. (CVE-2018-14357)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long RFC822.SIZE field. (CVE-2018-14358)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They have a buffer overflow via base64 data. (CVE-2018-14359)
* An issue was discovered in NeoMutt before 2018-07-16. nntp_add_group in newsrc.c has a stack-based buffer overflow because of incorrect sscanf usage. (CVE-2018-14360)
* An issue was discovered in NeoMutt before 2018-07-16. nntp.c proceeds even if memory allocation fails for messages data. (CVE-2018-14361)
* An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a '/' character. (CVE-2018-14362)
* An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames. (CVE-2018-14363)
TEMP-0775199-D05A9E is open

1.5.23-3+deb8u1 (Fri, 27 Jul 2018 22:20:50 -0400) * Non-maintainer upload by the LTS Team. (Closes: 904051) * Fix arbitrary command execution by remote IMAP servers via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription (CVE-2018-14354) characters, related to the mailboxes command associated with an automatic subscription (CVE-2018-14357) * Fix a stack-based buffer overflow caused by imap_quote_string() not leaving room for quote characters (CVE-2018-14352) * Fix an integer underflow in imap_quote_string() (CVE-2018-14353) * Fix mishandling of zero-length UID in pop.c (CVE-2018-14356) * Fix unsafe interaction between message-cache pathnames and certain characters in pop.c (CVE-2018-14362) * Fix mishandling of ".." directory traversal in IMAP mailbox name (CVE-2018-14355) * Fix a stack-based buffer overflow for an IMAP FETCH response with a long INTERNALDATE field (CVE-2018-14350) RFC822.SIZE field (CVE-2018-14358) * Fix mishandling of an IMAP NO response without a message (CVE-2018-14349) * Fix mishandling of long IMAP status mailbox literal count size (CVE-2018-14351) * Fix a buffer overflow via base64 data (CVE-2018-14359) * Fix a stack-based buffer overflow because of incorrect sscanf usage (CVE-2018-14360) * Fix a defect where processing continues if memory allocation fails for NNTP messages (CVE-2018-14361) characters in newsrc.c (CVE-2018-14363)
* CVE-2018-14349 mutt: Heap Overflow in imap/command.c (CVE-2018-14349)
* CVE-2018-14350 mutt: stack-based buffer overflow in imap/message.c (CVE-2018-14350)
* CVE-2018-14351 mutt: IMAP status mailbox literal mishandled in imap/command.c (CVE-2018-14351)
* CVE-2018-14352 mutt: stack-based buffer overflow in imap/util.c (CVE-2018-14352)
* CVE-2018-14353 mutt: integer underflow in imap/util.c (CVE-2018-14353)
* CVE-2018-14354 mutt: Remote code injection vulnerability to an IMAP mailbox (CVE-2018-14354)
* CVE-2018-14355 mutt: IMAP header caching path traversal vulnerability (CVE-2018-14355)
* CVE-2018-14356 mutt: mishandles a zero-length UID in pop.c (CVE-2018-14356)
* CVE-2018-14357 mutt: Remote Code Execution via backquote characters (CVE-2018-14357)
* CVE-2018-14358 mutt: stack-based buffer overflow in imap/message.c (CVE-2018-14358)
* CVE-2018-14359 mutt: buffer overflow via base64 data (CVE-2018-14359)
* CVE-2018-14362 mutt: POP body caching path traversal vulnerability (CVE-2018-14362)

Comment 1 Quality Assurance

2018-08-09 18:44:01 CEST

--- mirror/ftp/4.2/unmaintained/4.2-0/source/mutt_1.5.23-3.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/mutt_1.5.23-3+deb8u1.dsc
@@ -1,6 +1,38 @@
+1.5.23-3+deb8u1 [Fri, 27 Jul 2018 22:20:50 -0400] Roberto C. Sanchez <roberto@debian.org>:
+
+  * Non-maintainer upload by the LTS Team. (Closes: 904051)
+  * Fix arbitrary command execution by remote IMAP servers via backquote
+    characters, related to the mailboxes command associated with a manual
+    subscription or unsubscription (CVE-2018-14354)
+  * Fix arbitrary command execution by remote IMAP servers via backquote
+    characters, related to the mailboxes command associated with an automatic
+    subscription (CVE-2018-14357)
+  * Fix a stack-based buffer overflow caused by imap_quote_string() not
+    leaving room for quote characters (CVE-2018-14352)
+  * Fix an integer underflow in imap_quote_string() (CVE-2018-14353)
+  * Fix mishandling of zero-length UID in pop.c (CVE-2018-14356)
+  * Fix unsafe interaction between message-cache pathnames and certain
+    characters in pop.c (CVE-2018-14362)
+  * Fix mishandling of ".." directory traversal in IMAP mailbox name
+    (CVE-2018-14355)
+  * Fix a stack-based buffer overflow for an IMAP FETCH response with a long
+    INTERNALDATE field (CVE-2018-14350)
+  * Fix a stack-based buffer overflow for an IMAP FETCH response with a long
+    RFC822.SIZE field (CVE-2018-14358)
+  * Fix mishandling of an IMAP NO response without a message (CVE-2018-14349)
+  * Fix mishandling of long IMAP status mailbox literal count size
+    (CVE-2018-14351)
+  * Fix a buffer overflow via base64 data (CVE-2018-14359)
+  * Fix a stack-based buffer overflow because of incorrect sscanf usage
+    (CVE-2018-14360)
+  * Fix a defect where processing continues if memory allocation fails for
+    NNTP messages (CVE-2018-14361)
+  * Fix unsafe interaction between message-cache pathnames and certain
+    characters in newsrc.c (CVE-2018-14363)
+
 1.5.23-3 [Thu, 04 Dec 2014 21:09:07 +0000] Antonio Radici <antonio@dyne.org>:
 
   * Fixed upstream/771125-CVE-2014-9116-jessie.patch thanks to Salvatore
     Bonaccorso; now it correctly fixes the CVE and does not affect other
-   functionalities of mutt (Closes: 771674)
+    functionalities of mutt (Closes: 771674)
 

<http://10.200.17.11/4.2-4/#5998964184392568087>

Comment 2 Philipp Hahn

2018-08-10 10:09:40 CEST

OK: piuparts
OK: patch
OK: errata-announce

[4.2-4] 1b4e7f641b Bug #47521: mutt 1.5.23-3+deb8u1
 doc/errata/staging/mutt.yaml | 52 ++++++++++++++++----------------------------
 1 file changed, 19 insertions(+), 33 deletions(-)

[4.2-4] 3fcdbaef3b Bug #47521: mutt 1.5.23-3+deb8u1
 doc/errata/staging/mutt.yaml | 57 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

Comment 3 Arvid Requate

2018-08-15 16:19:43 CEST

<http://errata.software-univention.de/ucs/4.2/468.html>