http://www.mutt.org/news.html

https://github.com/neomutt/neomutt/commit/93b8ac558752d09e1c56d4f1bc82631316fa9c82

https://gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c6

[debian-lts-announce] 20180802 [SECURITY] [DLA 1455-1] mutt security update

https://neomutt.org/2018/07/16/release

GLSA-201810-07

USN-3719-3

DSA-4277

This update for mutt fixes the following issues :

Security issues fixed :

bsc#1101428: Mutt 1.10.1 security release update.

CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).

CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).

CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).

CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).

CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).

CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).

CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).

CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).

CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).

CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).

CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).

CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).

CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).

CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).

CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).

Bug fixes: mutt reports as neomutt and incorrect version (bsc#1094717)

No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)

mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)

(neo)mutt displaying times in Zulu time (bsc#1061343)

mutt unconditionally segfaults when displaying a message (bsc#986534)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mutt fixes the following issues :

Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568).

Bug fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

This update was imported from the SUSE:SLE-15:Update update project.

This update for mutt fixes the following issues :

Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568).

Bug fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

  - No sidebar available in mutt 1.6.1 from Tumbleweed     snapshot 20160517 (bsc#980830)

  - mutt-1.6.1 unusable when built with --enable-sidebar     (bsc#982129)

  - (neo)mutt displaying times in Zulu time (bsc#1061343)

  - mutt unconditionally segfaults when displaying a message     (bsc#986534)

  - For openSUSE Leap 42.3, retain split of -lang and -doc     (boo#1120935)

This update was imported from the SUSE:SLE-12:Update update project.

Upgrade to 1.10.1

Security fix for CVE-2018-14358, CVE-2018-14352, CVE-2018-14353, CVE-2018-14356, CVE-2018-14359, CVE-2018-14354, CVE-2018-14355, CVE-2018-14362, CVE-2018-14357, CVE-2018-14350, CVE-2018-14349, CVE-2018-14351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mutt fixes the following issues: Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568). Bug     fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201810-07 (Mutt, NeoMutt: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mutt, and NeoMutt.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted mail       message or connect to malicious mail server using Mutt or NeoMutt,       possibly resulting in execution of arbitrary code or directory traversal       with the privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

USN-3719-1 fixed vulnerabilities in Mutt. Unfortunately, the fixes were not correctly applied to the packaging for Mutt in Ubuntu 16.04 LTS. This update corrects the oversight.

We apologize for the inconvenience.

Original advisory details :

It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this to execute arbitrary code.
(CVE-2018-14350, CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353 ,CVE-2018-14357)

It was discovered that Mutt incorrectly handled certain inputs. An attacker could possibly use this to access or expose sensitive information. (CVE-2018-14355, CVE-2018-14356, CVE-2018-14351, CVE-2018-14362, CVE-2018-14349).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mutt fixes the following issues: Security issues fixed :

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571). Bug fixes :

  - bsc#936807: On entering a 70 character subject line in     mutt, a tab is added to the text after 67 characters.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, potentially leading to code execution, denial of service or information disclosure when connecting to a malicious mail/NNTP server.

Several vulnerabilities have been discovered in mutt, a sophisticated text-based Mail User Agent, resulting in denial of service, stack-based buffer overflow, arbitrary command execution, and directory traversal flaws.

For Debian 8 'Jessie', these problems have been fixed in version 1.5.23-3+deb8u1.

We recommend that you upgrade your mutt packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2018-14358, CVE-2018-14352, CVE-2018-14353, CVE-2018-14356, CVE-2018-14359, CVE-2018-14354, CVE-2018-14355, CVE-2018-14362, CVE-2018-14357, CVE-2018-14350, CVE-2018-14349, CVE-2018-14351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mutt fixes the following issues: Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568). Bug     fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

  - No sidebar available in mutt 1.6.1 from Tumbleweed     snapshot 20160517 (bsc#980830)

  - mutt-1.6.1 unusable when built with --enable-sidebar     (bsc#982129)

  - (neo)mutt displaying times in Zulu time (bsc#1061343)

  - mutt unconditionally segfaults when displaying a message     (bsc#986534)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this to execute arbitrary code.
(CVE-2018-14350, CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353 ,CVE-2018-14357)

It was discovered that Mutt incorrectly handled certain inputs. An attacker could possibly use this to access or expose sensitive information. (CVE-2018-14355, CVE-2018-14356, CVE-2018-14351, CVE-2018-14362, CVE-2018-14349).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

NeoMutt report : DescriptionCVE-2018-14349 NO Response Heap Overflow CVE-2018-14350 INTERNALDATE Stack Overflow CVE-2018-14351 STATUS Literal Length relative write CVE-2018-14352 imap_quote_string off-by-one stack overflow CVE-2018-14353 imap_quote_string int underflow CVE-2018-14354 imap_subscribe Remote Code Execution CVE-2018-14355 STATUS mailbox header cache directory traversal CVE-2018-14356 POP empty UID NULL deref CVE-2018-14357 LSUB Remote Code Execution CVE-2018-14358 RFC822.SIZE Stack Overflow CVE-2018-14359 base64 decode Stack Overflow CVE-2018-14360 NNTP Group Stack Overflow CVE-2018-14361 NNTP Write 1 where via GROUP response CVE-2018-14362 POP Message Cache Directory Traversal CVE-2018-14363 NNTP Header Cache Directory Traversal

Kevin J. McCarthy reports :

Fixes a remote code injection vulnerability when 'subscribing' to an IMAP mailbox, either via $imap_check_subscribed, or via the <subscribe> function in the browser menu. Mutt was generating a 'mailboxes' command and sending that along to the muttrc parser.
However, it was not escaping '`', which executes code and inserts the result. This would allow a malicious IMAP server to execute arbitrary code (for $imap_check_subscribed).

Fixes POP body caching path traversal vulnerability.

Fixes IMAP header caching path traversal vulnerability.

CVE-2018-14349 - NO Response Heap Overflow

CVE-2018-14350 - INTERNALDATE Stack Overflow

CVE-2018-14351 - STATUS Literal Length relative write

CVE-2018-14352 - imap_quote_string off-by-one stack overflow

CVE-2018-14353 - imap_quote_string int underflow

CVE-2018-14354 - imap_subscribe Remote Code Execution

CVE-2018-14355 - STATUS mailbox header cache directory traversal

CVE-2018-14356 - POP empty UID NULL deref

CVE-2018-14357 - LSUB Remote Code Execution

CVE-2018-14358 - RFC822.SIZE Stack Overflow

CVE-2018-14359 - base64 decode Stack Overflow

CVE-2018-14362 - POP Message Cache Directory Traversal

ID	Name	Product	Family	Severity
124757	SUSE SLED12 / SLES12 Security Update : mutt (SUSE-SU-2019:1196-1)	Nessus	SuSE Local Security Checks	high
123246	openSUSE Security Update : mutt (openSUSE-2019-569)	Nessus	SuSE Local Security Checks	high
121281	openSUSE Security Update : mutt (openSUSE-2019-52)	Nessus	SuSE Local Security Checks	high
120894	Fedora 28 : 5:mutt (2018-f1438c5833)	Nessus	Fedora Local Security Checks	high
120066	SUSE SLED15 / SLES15 Security Update : mutt (SUSE-SU-2018:2085-1)	Nessus	SuSE Local Security Checks	high
118507	GLSA-201810-07 : Mutt, NeoMutt: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
117825	Ubuntu 16.04 LTS : mutt vulnerabilities (USN-3719-3)	Nessus	Ubuntu Local Security Checks	high
112011	SUSE SLES11 Security Update : mutt (SUSE-SU-2018:2403-1)	Nessus	SuSE Local Security Checks	high
111986	Debian DSA-4277-1 : mutt - security update	Nessus	Debian Local Security Checks	high
111571	openSUSE Security Update : mutt (openSUSE-2018-809)	Nessus	SuSE Local Security Checks	high
111519	Debian DLA-1455-1 : mutt security update	Nessus	Debian Local Security Checks	high
111470	Fedora 27 : 5:mutt (2018-502e31a658)	Nessus	Fedora Local Security Checks	high
111435	SUSE SLED12 / SLES12 Security Update : mutt (SUSE-SU-2018:2084-1)	Nessus	SuSE Local Security Checks	high
111268	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : mutt vulnerabilities (USN-3719-1)	Nessus	Ubuntu Local Security Checks	high
111181	FreeBSD : mutt/neomutt -- multiple vulnerabilities (fe12ef83-8b47-11e8-96cc-001a4a7ec6be)	Nessus	FreeBSD Local Security Checks	high
111179	FreeBSD : mutt -- remote code injection and path traversal vulnerability (a2f35081-8a02-11e8-8fa5-4437e6ad11c4)	Nessus	FreeBSD Local Security Checks	high

CVE-2018-14356

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins