Bug 13004

Summary: mutt new security issue CVE-2014-0467
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, jquelin, lewyssmith, oe, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/590373/
Whiteboard: MGA3TOO advisory mga4-32-ok MGA4-64-OK mga3-32-ok mga3-64-ok
Source RPM: mutt-1.5.21-12.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-12 18:32:04 CET 
Debian has issued an advisory today (March 12):
https://lists.debian.org/debian-security-announce/2014/msg00045.html

The Debian bug is here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-12 18:32:19 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-13 16:31:31 CET 
Here's the actual DSA link:
http://www.debian.org/security/2014/dsa-2874
Comment 2 Oden Eriksson 2014-03-18 13:10:44 CET 
fixed with mutt-1.5.21-13.mga5, mutt-1.5.21-12.1.mga4, mutt-1.5.21-10.1.mga3.

CC: (none) => oe

Comment 3 David Walser 2014-03-18 18:01:49 CET 
Thanks Oden!

Advisory:
========================

Updated mutt packages fix security vulnerabilities:

A heap-based buffer overflow flaw was found in the way mutt processed certain
email headers. A remote attacker could use this flaw to send an email with
specially crafted headers that, when processed, could cause mutt to crash or,
potentially, execute arbitrary code with the permissions of the user running
mutt (CVE-2014-0467).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467
https://rhn.redhat.com/errata/RHSA-2014-0304.html
========================

Updated packages in core/updates_testing:
========================
mutt-1.5.21-10.1.mga3
mutt-utf8-1.5.21-10.1.mga3
mutt-doc-1.5.21-10.1.mga3
mutt-1.5.21-12.1.mga4
mutt-utf8-1.5.21-12.1.mga4
mutt-doc-1.5.21-12.1.mga4

from SRPMS:
mutt-1.5.21-10.1.mga3.src.rpm
mutt-1.5.21-12.1.mga4.src.rpm

CC: (none) => jquelin
Version: Cauldron => 4
Assignee: jquelin => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Severity: normal => critical

Comment 4 Lewis Smith 2014-03-18 21:43:26 CET 
Tested MGA4 on real 64-bit hardware. OK.

To get the orginal fault to happen, *this* link is the one:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731
msgs 17 & 22.
The catch, once you get the unzipped given test msgbox file:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=mutt_killing_message_from_DebianBTS.gz;att=1;bug=708731
displayed with
 mutt -f [path-to]mutt_killing_message_from_DebianBTS
use 'h'.

As released, this crashed Mutt (in my case once a segfault, subsequently a malloc() error which seized up the console).

Updated to testing version 12.1, and using 'h' on the test msgbox file gave no error. OK.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Dave Hodgins 2014-03-20 20:32:45 CET

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK advisory

Comment 5 claire robinson 2014-03-25 08:58:46 CET 
Testing complete mga3 32 & 64 vbox

Following Lewis procedure and pressing h causes a segfault. Fixed by the update.

Whiteboard: MGA3TOO MGA4-64-OK advisory => MGA3TOO advisory MGA4-64-OK mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2014-03-25 09:04:36 CET 
Testing complete mga4 32

Validating. Advisory previously uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO advisory MGA4-64-OK mga3-32-ok mga3-64-ok => MGA3TOO advisory mga4-32-ok MGA4-64-OK mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Pascal Terjan 2014-03-31 21:31:26 CEST 
http://advisories.mageia.org/MGASA-2014-0141.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED