https://github.com/neomutt/neomutt/commit/6296f7153f0c9d5e5cd3aaf08f9731e56621bdd3

[debian-lts-announce] 20180802 [SECURITY] [DLA 1455-1] mutt security update

https://neomutt.org/2018/07/16/release

DSA-4277

This update for mutt fixes the following issues :

Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568).

Bug fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

  - No sidebar available in mutt 1.6.1 from Tumbleweed     snapshot 20160517 (bsc#980830)

  - mutt-1.6.1 unusable when built with --enable-sidebar     (bsc#982129)

  - (neo)mutt displaying times in Zulu time (bsc#1061343)

  - mutt unconditionally segfaults when displaying a message     (bsc#986534)

  - For openSUSE Leap 42.3, retain split of -lang and -doc     (boo#1120935)

This update was imported from the SUSE:SLE-12:Update update project.

This update for mutt fixes the following issues: Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568). Bug     fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, potentially leading to code execution, denial of service or information disclosure when connecting to a malicious mail/NNTP server.

This update for mutt fixes the following issues :

Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568).

Bug fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

This update was imported from the SUSE:SLE-15:Update update project.

Several vulnerabilities have been discovered in mutt, a sophisticated text-based Mail User Agent, resulting in denial of service, stack-based buffer overflow, arbitrary command execution, and directory traversal flaws.

For Debian 8 'Jessie', these problems have been fixed in version 1.5.23-3+deb8u1.

We recommend that you upgrade your mutt packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for mutt fixes the following issues: Security issues fixed :

  - bsc#1101428: Mutt 1.10.1 security release update.

  - CVE-2018-14351: Fix imap/command.c that mishandles long     IMAP status mailbox literal count size (bsc#1101583).

  - CVE-2018-14353: Fix imap_quote_string in imap/util.c     that has an integer underflow (bsc#1101581).

  - CVE-2018-14362: Fix pop.c that does not forbid     characters that may have unsafe interaction with     message-cache pathnames (bsc#1101567).

  - CVE-2018-14354: Fix arbitrary command execution from     remote IMAP servers via backquote characters     (bsc#1101578).

  - CVE-2018-14352: Fix imap_quote_string in imap/util.c     that does not leave room for quote characters     (bsc#1101582).

  - CVE-2018-14356: Fix pop.c that mishandles a zero-length     UID (bsc#1101576).

  - CVE-2018-14355: Fix imap/util.c that mishandles '..'     directory traversal in a mailbox name (bsc#1101577).

  - CVE-2018-14349: Fix imap/command.c that mishandles a NO     response without a message (bsc#1101589).

  - CVE-2018-14350: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along INTERNALDATE field (bsc#1101588).

  - CVE-2018-14363: Fix newsrc.c that does not     properlyrestrict '/' characters that may have unsafe     interaction with cache pathnames (bsc#1101566).

  - CVE-2018-14359: Fix buffer overflow via base64 data     (bsc#1101570).

  - CVE-2018-14358: Fix imap/message.c that has a     stack-based buffer overflow for a FETCH response with     along RFC822.SIZE field (bsc#1101571).

  - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has     a stack-based buffer overflow because of incorrect     sscanf usage (bsc#1101569).

  - CVE-2018-14357: Fix that remote IMAP servers are allowed     to execute arbitrary commands via backquote characters     (bsc#1101573).

  - CVE-2018-14361: Fix that nntp.c proceeds even if memory     allocation fails for messages data (bsc#1101568). Bug     fixes :

  - mutt reports as neomutt and incorrect version     (bsc#1094717)

  - No sidebar available in mutt 1.6.1 from Tumbleweed     snapshot 20160517 (bsc#980830)

  - mutt-1.6.1 unusable when built with --enable-sidebar     (bsc#982129)

  - (neo)mutt displaying times in Zulu time (bsc#1061343)

  - mutt unconditionally segfaults when displaying a message     (bsc#986534)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

NeoMutt report : DescriptionCVE-2018-14349 NO Response Heap Overflow CVE-2018-14350 INTERNALDATE Stack Overflow CVE-2018-14351 STATUS Literal Length relative write CVE-2018-14352 imap_quote_string off-by-one stack overflow CVE-2018-14353 imap_quote_string int underflow CVE-2018-14354 imap_subscribe Remote Code Execution CVE-2018-14355 STATUS mailbox header cache directory traversal CVE-2018-14356 POP empty UID NULL deref CVE-2018-14357 LSUB Remote Code Execution CVE-2018-14358 RFC822.SIZE Stack Overflow CVE-2018-14359 base64 decode Stack Overflow CVE-2018-14360 NNTP Group Stack Overflow CVE-2018-14361 NNTP Write 1 where via GROUP response CVE-2018-14362 POP Message Cache Directory Traversal CVE-2018-14363 NNTP Header Cache Directory Traversal

ID	Name	Product	Family	Severity
121281	openSUSE Security Update : mutt (openSUSE-2019-52)	Nessus	SuSE Local Security Checks	high
120066	SUSE SLED15 / SLES15 Security Update : mutt (SUSE-SU-2018:2085-1)	Nessus	SuSE Local Security Checks	high
111986	Debian DSA-4277-1 : mutt - security update	Nessus	Debian Local Security Checks	high
111571	openSUSE Security Update : mutt (openSUSE-2018-809)	Nessus	SuSE Local Security Checks	high
111519	Debian DLA-1455-1 : mutt security update	Nessus	Debian Local Security Checks	high
111435	SUSE SLED12 / SLES12 Security Update : mutt (SUSE-SU-2018:2084-1)	Nessus	SuSE Local Security Checks	high
111181	FreeBSD : mutt/neomutt -- multiple vulnerabilities (fe12ef83-8b47-11e8-96cc-001a4a7ec6be)	Nessus	FreeBSD Local Security Checks	high

CVE-2018-14360

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins